Adding custom rules to Application Control

If the default rule sets do not meet your requirements, add new rule sets and rules. You can also modify the predefined rule sets that are installed with the policy.
  • The rule set is the container that holds one or more rules that allows or blocks an action.
  • The rules in the rule sets define one or more processes or applications. You can also exclude a process from being monitored.
  • Each rule includes the conditions and the actions that apply to a given process or processes. For each condition, you can configure actions to take when the condition is met. You configure rules to apply to only certain applications, and you can optionally configure them to exclude other applications from having the action applied.
Use the following steps to add your own application rules:
Step 1: Add custom rule sets and rules to an Application Control policy (optional)
A best practice is to create a rule set that includes all of the actions that allow, block, and monitor a given task. On the other hand, you should create multiple rule sets if you have multiple tasks. For example, if you wanted to block write attempts to all removable drives and also block applications from tampering with a specific application, you should create two rules sets. You add and enable as many rule sets and rules as you need.
For example, BitTorrent is a communications protocol that is used for peer-to-peer file sharing and is not secure. BitTorrent distributes movies, games, music, and other files. BitTorrent is one of the simplest methods to distribute threats. Malware is hidden inside the files that are shared on peer-to-peer networks. You can use application control to block access to the BitTorrent protocol. You can also use peer-to-peer authentication and intrusion prevention. See:
Consider the order of the rules and their conditions when you configure them to avoid unexpected consequences. Typically, only advanced administrators should perform this task. See:
To add custom rule sets and rules to an Application Control policy
  1. Open an Application Control policy. See:
  2. In the
    Application Control
    panel, under the list of default rule sets, click
    Add
    .
    To modify a predefined rule set, select it and then click
    Edit
    . For example, to monitor the applications that access the BitTorrent protocol, select
    Block programs from running from removable drives [AC2]
    .
  3. In the
    Add Application Control Rule Set
    dialog box, type a name and description for the rule set.
  4. Under Rules, select
    Rule 1
    , and on the
    Properties
    tab, type a meaningful name and description for the rule.
    To add an additional rule, click
    Add
    >
    Add Rule
    .
Step 2: Define the application or process for the rule (optional)
Each rule must have at least one application or process that it monitors on the client computer. You can also exclude certain applications from the rule.
To define the application or process for the rule
  1. With the rule selected, on the
    Properties
    tab, next to
    Apply this rule to the following processes
    , click
    Add
    .
  2. In the
    Add Process Definition
    dialog box, type the application name or process name, such as
    bittorrent.exe
    .
    If you apply the rule to all applications except for a given set of applications, then define a wildcard for all (*) in this step. Then list the applications that need to be exceptions next to
    Do not apply this rule to the following processes
    .
  3. Click
    OK
    .
    The
    Enable this rule
    check box is enabled by default. If you uncheck this option, the rule does not apply.
Step 3: Add conditions and actions to a rule (optional)
The conditions control the behavior of the application or process that attempts to run on the client computer. Each condition type has its own properties to specify what the condition looks for.
Each condition has its own specific actions to take on the process when the condition is true. Except for the Terminate process action, the actions always apply to the process that you define for the rule, and not the condition.
The
Terminate
process action terminates the caller process, or the application that made the request. The caller process is the process that you define in the rule and not the condition. The other actions act on the target process, defined in the condition.
Actions taken by conditions
Condition
Description
Registry Access Attempts
Allows or blocks access to a client computer's registry settings.
File and Folder Access Attempts
Allows or blocks access to defined files or folders on a client computer.
Launch Process Attempts
Allows or blocks the ability to launch a process on a client computer.
Terminate Process Attempts
Allows or blocks the ability to terminate a process on a client computer. For example, you may want to block a particular application from being stopped.
The
Terminate
Process Attempt condition refers to the target process. If you use the
Terminate Process Attempts
condition on Symantec Endpoint Protection or another important process and then use the Terminate process action to kill the process that tries to kill Symantec Endpoint Protection.
Load DLL Attempts
Allows or blocks the ability to load a DLL on a client computer.
To add conditions and actions to a rule
  1. Under
    Rules
    , select the rule you added, click
    Add
    >
    Add Condition
    , and choose a condition. See:
    For example, click
    Launch Process Attempts
    to add a condition for when the client computer accesses the BitTorrent protocol.
  2. On the
    Properties
    tab, select the process that should or should not be launched:
    • To specify a process to launch:
      Next to
      Apply to the following
      entity
      , click
      Add
      .
    • To exclude a process from being launched:
      Next to
      Do not apply to the following processes
      , click
      Add
      .
  3. In the
    Add
    entity
    Definition
    dialog box, type process name, DLL, or registry key.
    For example, to add BitTorrent, type its file path and executable, such as:
    C:\Users\UserName\AppData\Roaming\BitTorrent
    To apply a condition to all processes in a particular folder, a best practice is to use
    folder_name
    \* or
    folder_name
    \*\*. One asterisk includes all the files and folders in the named folder. Use
    folder_name
    \*\* to include every file and folder in the named folder plus every file and folder in every subfolder.
  4. Click
    OK
    .
  5. On the
    Actions
    tab for the condition, select an action to take.
    For example, to block Textpad if it tries to launch Firefox, click
    Block access
    .
  6. Check
    Enable logging
    and
    Notify user
    , and add a message you want the client computer user to see.
    For example, type
    Textpad tries to launch Firefox
    .
  7. Click
    OK
    .
    The new rule set appears and is configured for test mode. You should test new rule sets before you apply them to your client computers.