Setting up application control
Application control allows or blocks the defined applications that try to access system resources on a client computer. You can allow or block access to certain registry keys, files, and folders. You can also define which applications are allowed to run, which applications that cannot be terminated through irregular processes, and which applications can call DLLs.
Use the following steps to set up application control on a group of client computers.
Open a policy and enable default application control rule sets
Application Control policies contain predefined rule sets, which are disabled by default. You can enable any sets that you need, and apply the policy to a group. The predefined rule sets are configured in production mode rather than test mode. However, you should change the setting to test mode and test the rules in your test network before you apply them to your production network. See:
Add additional application control rules (optional)
If the default rule sets do not meet your requirements, add new rule sets and rules. Typically, only advanced administrators should perform this task. See:
Add exceptions for applications
Application control injects code in some applications to examine them, which can slow applications that run on the computer. If necessary, you can exclude some applications from application control. You use an Exceptions policy to add file exceptions or folder exceptions for application control. See:
View the Application Control logs
If you are testing a new policy or are troubleshooting an issue, you should monitor application control events in the log.
In both test mode and production mode, application control events are in the Application Control log in
Symantec Endpoint Protection Manager. On the client computer, application control and device control events appear in the Control log.
You might see duplicate or multiple log entries for a single application control action. For example, if explorer.exe tries to copy a file, it sets the write and delete bits of the file's access mask.
Symantec Endpoint Protectionlogs the event. If the copy action fails because an application control rule blocks the action, explorer.exe tries to copy the file by using only the delete bit in the access mask.
Symantec Endpoint Protectionlogs another event for the copy attempt. See:
Prevent or allow users from enabling or disabling application control (optional)
In rare cases, application control might interfere with some safe applications that run on client computers. You might want to allow users to disable this option to troubleshoot problems. In the mixed mode or client mode, use the
Allow user to enable and disable the application device controlsetting in the
Client User Interface Settingsdialog. See:
You can also use system lockdown to allow approved applications or block unapproved applications on the client computers. See: