Creating custom application control rules

Article:HOWTO55141  |  Created: 2011-06-29  |  Updated: 2011-12-16  |  Article URL http://www.symantec.com/docs/HOWTO55141
Article Type
How To


Subject


Creating custom application control rules

You might want to use custom application control rules when you set up application and device control.

See Setting up application and device control

Table: Creating custom application control rules

Step

Action

Description

Step 1

Plan the rule set

A new application rule set contains one or more administrator-defined rules. Each rule set and each rule has properties. Each rule can contain one or more conditions for monitoring applications and their access to specified files, folders, registry keys, and processes.

You should review best practices before you create custom rules.

See About best practices for creating application control rules.

You can also review the structure of the default rule sets to see how they are constructed.

Step 2

Create the rule set and add rules

You can create multiple rules and add them to a single application control rule set. You can delete rules from the rules list and change their position in the rule set hierarchy as needed. You can also enable and disable rule sets or individual rules within a set.

See Creating a custom rule set and adding rules.

See Typical application control rules.

You can copy and paste rule sets or individual rules within the same policy or between two policies. You might want to copy rules from policies that you download from Symantec or from test policies that contain rules that you want to use in production policies.

See Copying application rule sets or rules between Application and Device Control policies.

Step 3

Apply a rule to specific applications and exclude certain applications from the rule

Every rule must have at least one application to which it applies. You can also exclude certain applications from the rule. You specify the applications on the Properties tab for the rule.

See Applying a rule to specific applications and excluding applications from a rule.

Step 4

Add conditions and actions to rules

The condition specifies what the application tries to do when you want to control it.

You can set any of the following conditions:

  • Registry access attempts

  • File and folder access attempts

  • Launch process attempts

  • Terminate process attempts

  • Load DLL attempts

See Adding conditions and actions to a custom application control rule.

You can configure any of the following actions to take on an application when it meets the configured condition:

  • Continue processing other rules

  • Allow the application to access the entity

  • Block the application from accessing the entity

  • Terminate the application that is trying to access an entity

Note:

Remember that actions always apply to the process that is defined for the rule. They do not apply to a process that you define in a condition.

Step 5

Test the rules

You should test your rules before you apply them to your production network.

Configuration errors in the rule sets that are used in an Application and Device Control policy can disable a computer or a server. The client computer can fail, or its communication with Symantec Endpoint Protection Manager can be blocked.

See Testing application control rule sets.

After you test the rules, you can apply them to your production network.


Legacy ID



v36348766_v59371754


Article URL http://www.symantec.com/docs/HOWTO55141


Terms of use for this information are found in Legal Notices