Adding custom rules to Application Control
If the default rule sets do not meet your requirements, add new rule sets and rules. You can also modify the predefined rule sets that are installed with the policy.
- The rule set is the container that holds one or more rules that allows or blocks an action.
- The rules in the rule sets define one or more processes or applications. You can also exclude a process from being monitored.
- Each rule includes the conditions and the actions that apply to a given process or processes. For each condition, you can configure actions to take when the condition is met. You configure rules to apply to only certain applications, and you can optionally configure them to exclude other applications from having the action applied.
Use the following steps to add your own application rules:
- Step 4: Test the rules before you apply them to your production network. See:
Step 1: Add custom rule sets and rules to an Application Control policy (optional)
A best practice is to create a rule set that includes all of the actions that allow, block, and monitor a given task. On the other hand, you should create multiple rule sets if you have multiple tasks. For example, if you wanted to block write attempts to all removable drives and also block applications from tampering with a specific application, you should create two rules sets. You add and enable as many rule sets and rules as you need.
For example, BitTorrent is a communications protocol that is used for peer-to-peer file sharing and is not secure. BitTorrent distributes movies, games, music, and other files. BitTorrent is one of the simplest methods to distribute threats. Malware is hidden inside the files that are shared on peer-to-peer networks. You can use application control to block access to the BitTorrent protocol. You can also use peer-to-peer authentication and intrusion prevention. See:
Consider the order of the rules and their conditions when you configure them to avoid unexpected consequences. Typically, only advanced administrators should perform this task. See:
To add custom rule sets and rules to an Application Control policy
- Open an Application Control policy. See:
- In theApplication Controlpanel, under the list of default rule sets, clickAdd.To modify a predefined rule set, select it and then clickEdit. For example, to monitor the applications that access the BitTorrent protocol, selectBlock programs from running from removable drives [AC2].
- In theAdd Application Control Rule Setdialog box, type a name and description for the rule set.
- Under Rules, selectRule 1, and on thePropertiestab, type a meaningful name and description for the rule.To add an additional rule, clickAdd>Add Rule.
Step 2: Define the application or process for the rule (optional)
Each rule must have at least one application or process that it monitors on the client computer. You can also exclude certain applications from the rule.
To define the application or process for the rule
- With the rule selected, on thePropertiestab, next toApply this rule to the following processes, clickAdd.
- In theAdd Process Definitiondialog box, type the application name or process name, such asbittorrent.exe.If you apply the rule to all applications except for a given set of applications, then define a wildcard for all (*) in this step. Then list the applications that need to be exceptions next toDo not apply this rule to the following processes.
- ClickOK.TheEnable this rulecheck box is enabled by default. If you uncheck this option, the rule does not apply.
Step 3: Add conditions and actions to a rule (optional)
The conditions control the behavior of the application or process that attempts to run on the client computer. Each condition type has its own properties to specify what the condition looks for.
Each condition has its own specific actions to take on the process when the condition is true. Except for the Terminate process action, the actions always apply to the process that you define for the rule, and not the condition.
Terminateprocess action terminates the caller process, or the application that made the request. The caller process is the process that you define in the rule and not the condition. The other actions act on the target process, defined in the condition.
Registry Access Attempts
Allows or blocks access to a client computer's registry settings.
File and Folder Access Attempts
Allows or blocks access to defined files or folders on a client computer.
Launch Process Attempts
Allows or blocks the ability to launch a process on a client computer.
Terminate Process Attempts
Allows or blocks the ability to terminate a process on a client computer. For example, you may want to block a particular application from being stopped.
TerminateProcess Attempt condition refers to the target process. If you use the
Terminate Process Attemptscondition on Symantec Endpoint Protection or another important process and then use the Terminate process action to kill the process that tries to kill Symantec Endpoint Protection.
Load DLL Attempts
Allows or blocks the ability to load a DLL on a client computer.
To add conditions and actions to a rule
- UnderRules, select the rule you added, clickAdd>Add Condition, and choose a condition. See:For example, clickLaunch Process Attemptsto add a condition for when the client computer accesses the BitTorrent protocol.
- On thePropertiestab, select the process that should or should not be launched:
- To specify a process to launch:Next toApply to the following, clickentityAdd.
- To exclude a process from being launched:Next toDo not apply to the following processes, clickAdd.
- In theAdddialog box, type process name, DLL, or registry key.entityDefinitionFor example, to add BitTorrent, type its file path and executable, such as:C:\Users\UserName\AppData\Roaming\BitTorrentTo apply a condition to all processes in a particular folder, a best practice is to usefolder_name\* orfolder_name\*\*. One asterisk includes all the files and folders in the named folder. Usefolder_name\*\* to include every file and folder in the named folder plus every file and folder in every subfolder.
- On theActionstab for the condition, select an action to take.For example, to block Textpad if it tries to launch Firefox, clickBlock access.
- CheckEnable loggingandNotify user, and add a message you want the client computer user to see.For example, typeTextpad tries to launch Firefox.
- ClickOK.The new rule set appears and is configured for test mode. You should test new rule sets before you apply them to your client computers.