Data Center Security

 View Only

  • 1.  Tuning a Policy

    Posted Jan 12, 2015 01:26 PM

    I want to start tuning a policy, before I enable prevention mode. I created new custom sandbox and want a particular  process (i.e. process x) to write to anything under "C:\windows\system32\". I added an new entry under "filew writes-> writetable resources resource lists -> allow modifications to these files" In the resource path I added c:windows\system32\*. I thought the wildcard will include anyting within system32, however after reaplying the policy I still see events of process x trying to write to files within system32. Any ideas what am I doing wrong?  Thanks in advance for your help and suggestions.

     

     



  • 2.  RE: Tuning a Policy

    Posted Jan 17, 2015 12:21 AM

    Hello use  c:windows\system32\*\* and check it will work this way. Regards



  • 3.  RE: Tuning a Policy

    Posted Feb 20, 2015 02:51 AM

    Hi,

    maybe you just forgot a backslash in your path: c:windows\system32\* -> c:\windows\system32\*

    Path should work this way, i don't think you have to use another wildcard like suggested by Outrageous unless you only want to write in folders in system32-folder and not in system32-folder and files there directly.

     

    Regards 

     

     

     



  • 4.  RE: Tuning a Policy

    Posted Mar 06, 2015 09:29 AM

    Odds are you're bumping into the 'feature'  Prevent the modification of Executables. Easy way to test is to have that process create a .txt file in the directory...if it can...then you have your path/variables set correctly.

    If that's the case, there's several strategies for allowing processes to modify executables...each with their own benefits/drawbacks.