I've been doing testing on System LockDown using Whitelist Mode Application Lists.
Instead of using an automatically generated File Fingerprint List I'm just letting the system run in Log Unapproved Applications mode for a few days.
When I review the test client's Control Log for events titled LockDown and add an individual exception from the Target column using a wildcard format, I'm not seeing expected changes.
ADD FILE DEFINITION
The Name Can Include Environment Variables, Wildcards(*,?), and registry keys.
Examples: %windir%\system32\* or C:\windows\*.exe
File Name To Match
%LOCALAPPDATA%\GoToMeeting\*\*
Use Wildcard Matching(* and ? supported)
Enabled
Only Match Files on the Following Drive Types
Enabled
Local Fixed Disk Drive
Enabled
Can someone tell me why this Individual File Name exception isn't working as expected? I'm still getting the below entry as Blocked by LockDown.
CONTROL LOG ENTRY
Date and Time
10/4/2017 3:34:00 PM
Severity
1
Action
Block
Test Mode
Test Mode
Description
System Lockdown - Caller MD5=36f670d89040709013f6a460176767ec - Target Arguments=""
API
Create Process
Rule Name
LockDown
IP Address
10.10.18.134
Caller Process ID
1796
Caller Process
C:\Windows\System32\svchost.exe
Device Instance ID
SCSI\Disk&Ven_ATA&Prod_WDC_...
Target
C:\Users\BWLabUser\AppData\Local\GoToMeeting\7716\g2mupdate.exe
File Size
31,808 Bytes
User
SYSTEM
User Domain
BWLab
Location
Default