Endpoint Protection

 View Only

  • 1.  Application policy not blocking file writing

    Posted Apr 08, 2010 12:40 PM
      |   view attached
    Should a properly setup Application and Device Control policy prevent a logged on user from creating a file in the specified folder?  As a first-time test, I created an App policy to block the write attempt of a text file (c:\temp\*.txt).  However, when I logon to the client I can still create a .txt file under c:\temp.  The policy is enabled and set to production (I'm working in a VM test environment).

    I'm just trying to test settings to see if a file can be blocked from being written in a certain folder.  I'm not sure if the Application policy for File and Folder Access Attempts applies only to a process that attempts to write a file; or if it will work by testing by a user attempt to write a file.  If it only works for a process, then how do you test that it's working?

    Attached is the test policy, any help is appreciated.

    Attachment(s)

    zip
    TEST Application and Device Control policy.zip   12 KB 1 version


  • 2.  RE: Application policy not blocking file writing

    Posted Apr 08, 2010 01:06 PM
    Yes, there is communication between the SEPM server and the client.  I presume so because the client is getting current defs.


  • 3.  RE: Application policy not blocking file writing

    Posted Apr 08, 2010 01:07 PM
    First question would be are you sure the client has the latest policy?

    Replace c:\temp\*.txt

    with

    %userprofile%\temp\*.txt


  • 4.  RE: Application policy not blocking file writing

    Posted Apr 08, 2010 01:09 PM
    Ensure the policy number in the client matches what's in the SEPM


  • 5.  RE: Application policy not blocking file writing

    Posted Apr 08, 2010 01:13 PM
    I was just looking at that.  Help and Support, Troubleshooting, policy serial number... Yes, the policy on the client matches the policy shown for the client in the SEPM console under Clients, View Clients... and looking at the Client status view.


  • 6.  RE: Application policy not blocking file writing

    Posted Apr 08, 2010 01:14 PM
    Try this:

    Replace c:\temp\*.txt

    with

    %userprofile%\temp\*.txt

    Update the policy on the client and try it again




  • 7.  RE: Application policy not blocking file writing

    Posted Apr 08, 2010 01:50 PM

    I made that change (%userprofile%\temp\*.txt).  I had to create a folder named temp under C:\Documents and Settings\username because it didn't exist.  However after that, yes I could still create a text document under C:\Documents and Settings\username\temp.

    Thanks for your help Brian81, but I'm gonna "take a break" and get ready to watch that SEP to stope fake AV webinar.



  • 8.  RE: Application policy not blocking file writing

    Posted Apr 08, 2010 02:02 PM

    Yep, I'm on the webinar as well!


  • 9.  RE: Application policy not blocking file writing
    Best Answer

    Posted Apr 12, 2010 01:24 PM
    The Application and Device Control policy was not working because I did not have Network Threat Protection installed (and hence did not have Application and Device Control) installed on the client.

    I originally had deployed only:
    • Antivirus and Antispyware
    • Proactive Threat Protection
    I could have done a better job of searching the forums because NOW I found similar posts to this.  Sorry about that.

    Under Add/Remove Programs, it's easier to understand the dependencies of what needs to be installed.  Application and Device Control is part of Proactive Threat Protection.  But just because you choose to install Proactive Threat Protection does not automatically install Application and Device Control.  Here's a screenshot: