Endpoint Protection

Due to the dramatic uptick in ransomeware infections, I've been tasked with locking down our (Windows 7 SP1 64-bit) laptops so that no unapproved/unknown applications can run. I updated our SEP server and clients to the latest version (12.1.6) and have created a test group with a small number of clients. Running in Whitelist mode with 'Test Before Removal', I've taken Fingerprint files on each of them and have tried both to add them individually, and also add them to the default File Fingerprint List. I'm having mixed results....

One one hand, I have a workstation that was having a common .exe block, so I re-ran and re-added its fingerprint file - so far, so good. On the other hand, the list of Unapproved Applications is upwards of 550 exceptions in less than five minutes, though I'm not seeing any notifications pop up. If the File Fingerprint list has been run and included for every client in this group, why are there so many exclusions? Pretty frustrating for sure.

Thanks!

This typically happens when files are updated, virus definitions, patches, etc. I see this all the time with System Lockdown. For me it's usually 2-4 weeks running in test mode before applying in prod. You can create an auto-update list if you wish:

Automatically updating whitelists or blacklists for system lockdown

Thanks Mark! Oh, so Test mode is what the 'Test Before Removal' checkbox is for, I get it. We've been running a handful of laptops for several days and it's up to 34,000 exceptions! I'm not sure what I'm to do with that information.