Best practices for adding application control rules
You should plan your custom application control rules carefully. When you add application control rules, keep in mind the following best practices.
Consider the rule order
Application control rules work similarly to most network-based firewall rules in that both use the first rule match feature. When multiple conditions are true, the first rule is the only one that is applied unless the action that is configured for the rule is to
Continue processing other rules.
You want to prevent all users from moving, copying, and creating files on USB drives.
You have an existing rule with a condition that allows write access to a file named Test.doc. You add a second condition to this existing rule set to block all USB drives. In this scenario, users are still able to create and modify a Test.doc file on USB drives. The
Allow accessto Test.doc condition comes before the
Block accessto USB drives condition in the rule set. The
Block accessto USB drives condition does not get processed when the condition that precedes it in the list is true.
Use the right action
Terminate Process Attemptscondition allows or blocks an application's ability to terminate the calling process on a client computer.
The condition does not allow or prevent users from stopping an application by the usual methods, such as clicking Quit from the File menu.
Process Explorer is a tool that displays the DLL processes that have opened or loaded, and what resources the processes use.
You might want to terminate Process Explorer when it tries to terminate a particular application.
Terminate Process Attemptscondition and the
Terminate processaction to create this type of rule. You apply the condition to the Process Explorer application. You apply the rule to the application or applications that you do not want Process Explorer to terminate.
Use one rule set per goal
Create one rule set that includes all of the actions that allow, block, or monitor a given task.
You want to block write attempts to all removable drives and you want to block applications from tampering with a particular application.
To accomplish these goals, you should create two different rule sets instead of one rule set.
Terminate processaction sparingly
Terminate processaction kills the calling process when the process meets the configured condition.
Only advanced administrators should use the
Terminate processaction. Typically, you should use the
Block accessaction instead.
You want to terminate Winword.exe any time that any process launches Winword.exe.
You create a rule and configure it with the
Launch Process Attemptscondition and the
Terminate processaction. You apply the condition to Winword.exe and apply the rule to all processes.
You might expect this rule to terminate Winword.exe, but that is not what the rule does. If you try to start Winword.exe from Windows Explorer, a rule with this configuration terminates Explorer.exe, not Winword.exe. Users can still run Winword.exe if they launch it directly. Instead, use the
Block accessaction, which blocks the target process, or Winword.exe.
Test rules before you put them into production
Test (log only)option for rule sets logs the actions, and does not apply to the actions to the client computer. Run rules in test mode for some acceptable period of time before you switch them back to production mode. During this time period, review the Application Control logs and verify that the rules work as planned.
The test option reduces potential accidents you might make by not considering all possibilities of the rule. See: