Endpoint Protection

 View Only

  • 1.  Application Control Rule construction

    Posted Oct 02, 2013 04:23 AM

    I need to create Application Control rule, allowing user to run applications only from "Windows"  folder and "Program Files" folder (and all levels of subdirectories). I have started with application rule blocking everything (*), the started adding exclusions like %windir%\*\*\* %ProgramFiles%\*\*\* %ProgramFiles(x86)%\*\*\* and also \\*\*\*\* to allow running things from fileserver shares. The results are ambiguous. Some apps from "Program Files" folder are getting blocked despite the exclusions. Is "%windir%\*" same as "%windir%\*\*\*\*" ? Any good advice how to accomplish this correctly? Thanks.



  • 2.  RE: Application Control Rule construction

    Broadcom Employee
    Posted Oct 02, 2013 04:54 AM

    are you looking for only specific application to be run, if yes can you consider system lockdown.

    About system lockdown

    http://www.symantec.com/business/support/index?page=content&id=HOWTO27322

    Configuring system lockdown

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55130

    Enabling system lockdown to block unapproved applications

    http://symantec.com/docs/HOWTO55132



  • 3.  RE: Application Control Rule construction

    Posted Oct 02, 2013 05:44 AM

    Hello,

    try with one only \* and let us know, it should be enough.



  • 4.  RE: Application Control Rule construction

    Posted Oct 02, 2013 09:14 AM

    %windir%\* only affects the files in the %windir% directory while %windir%\*\* covers all the files in %windir% and in its folders, subfolders, sub-subfolders ...

    So if you choose %windir%\*\* as an exclusion, blocking won't work because the access to all files is allowed.