Application Control Questions

Hi,

        Please refer the notes below and let us know whether it helped.

Application Control: Application Control Rule Sets

Use this page to view and manage application control rule sets for the selected Application and Device Control Policy. An application control rule set contains the rule conditions that monitor for specified files, folders, and processes. You can create or modify collections of rules for the selected policy.

Table: Application Control Rule Sets shows the hardware device protection rules list.

Table: Application Control Rule Sets
Option Description
Enabled Shows whether this collection of rules is in use or not. Uncheck this option to disable the corresponding rule set in the policy.
Rule Sets The name of a collection of rules for this policy. You can have multiple collections of rules in one policy.
Test/Production Whether this collection of rules is in Test (log only) mode or in Production mode. Test mode lets you apply this collection of rules to devices without modifying the behavior of those devices. You can then examine the generated log.
When you first create a collection of rules for a policy, the mode is Test (log only). To change the mode to Production, under Test/Production for the collection of rules that you want to change, select Production from the drop-down menu.

Symantec Endpoint Protection Manager contains four default Application Control Rule Sets.

Default Application Control Rule Sets:
Make all removable drives read-only
Block programs from running on removable drives
Block applications from running
Protect client files and registry keys

Hardware Device Protection Policy: Device Blocking

You can add or delete devices to block or exclude from blocking.
Note: The list in the Devices Excluded From Blocking table do NOT show all of the allowed devices. This list shows the exceptions to the Blocked Devices list.

Table: Device blocking options describes the device blocking options.

Table: Device blocking options
Group or option Description
Device Name The name of the device that is blocked or excluded from blocking. You can add or delete devices from this list.
Device ID The ID of the device that is blocked or excluded from blocking.
Log blocked devices When this option is enabled, an entry is added to the security log whenever a device is blocked. This option is enabled by default.
Notify users when devices are blocked When this option is enabled, a message is sent to clients that try to use devices that are not allowed by this policy. If you enable this option, you should click Specify Message Text to create the message.
This option is disabled by default.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032010523548

Hi Sandip,

Thanks for the response.  I'm looking for the Built-in rules, not Default.  There is the default policy for Application and Device Control called "Application and Device Control Policy" and it contains the default rules you mentioned but it is not applied to any of my groups.  That being said, see the example I posted above and let me know where I can find the "built-in" rules.  Thanks!