Endpoint Protection

 View Only

  • 1.  confusion about app control rule - which is BEST method????

    Posted Mar 29, 2010 09:57 AM
    I know this is a huge question for others as well!!

    I've got my app control rules that prevent certain things from happening in the user profile area.
    However, I need to allow SOME things to access, create or run files in the user profile area.
    Good example is Word and Outlook need to be able to create HTML files for use as email signatures.
    Some applications, like "webinar" apps need to install files in the user profile area. I need to allow this.
    There are two ways that I see, and it's confusing!
    I can create the rule, and say "prevent * from accessing these areas" then below, create the specific exceptions.
    OR, I can do like in this image, do a two leve thing where the top defins things I want to run or allow, and the bottom does the blocking.
    HOWEVER, I'm unclear - WHICH do I choose and how............
    In this image here, do I choose "continue processing other rules" or, do I choose "allow access" and what the @!#$ is the difference?????
    Say I want to put winword.exe at the top, and have SEP ignore it, which would I choose of the above?
    Or, do I simply create a single level rule, say apply to * then below say do not apply to word?
    Which is better or preferred, what's the differences????????
    Looks like 10 ways to get the same thing, but it seems, it's not working the way I have it here! SEP still blocks these things unless lower down, I say do not apply to these.
    So here - do I choose allow access, or continue processing other rules?
    Seems I need to add them down below, too, in the next section........... help please!



  • 2.  RE: confusion about app control rule - which is BEST method????

    Posted Mar 29, 2010 10:00 AM
    Seems if I do not add word here, as well, it doesn't allow Word. So do I need the upper section, or simply put word here in the "do not apply" section?
    Which is best?

    Why would one use the method of having two rules in this, the upper supposed to allow, if there's this method here?
    And again, if I use the above method, do I choose allow, or continue processing other rules?



  • 3.  RE: confusion about app control rule - which is BEST method????

    Posted Mar 29, 2010 02:08 PM
    Hey ShadowsPapa, first thanks for the input in the forums. I've found several of your posts far more informative than the "Official" opining of Sym Support. 

    Secondly, I'm having the same behavior on my end. I was using your packages from another post and first noticed the conflict when I was testing Chrome support. While we don't officially support Chrome, our developers need it for web sites QA testing. 

    If I add it in both the "Apply to" portion of my allow rule AND the "Do not apply to" portion of my block, it works as expected. But if I Allow in one place and Block the other and only put the process on one of the rules, the block always takes precedence.

    To answer the "Continue processing" versus allow debate, my experience has been I use "Continue Processing" in my debug rules when I just want to track what is accessing a resource without modifying permissions. I enable logging for those rules and thus am able to enable and disable my debug rules at will without crippling security or compatibility.