Testing application control rules

After you add application control rules, you should test them in your network. Configuration errors in the rule sets that are used in an Application Control policy can disable a computer or a server. The client computer can fail, or its communication with
Symantec Endpoint Protection Manager
can be blocked. After you test the rules, apply them to your production network.
Step 1: Set the rule set to test mode
You test rule sets by setting the mode to test mode. Test mode creates a log entry to indicate when rules in the rule set would be applied without actually applying the rule.
Default rules use production mode by default. Custom rules use test mode by default. You should test both default and custom rules sets.
You might want to test rules within the set individually. You can test individual rules by enabling or disabling them in the rule set.
  1. To change a rule set to test mode
  2. In the console, open an Application and Device Control policy.
  3. Under
    Application Control Policy
    , click
    Application Control
  4. In the
    Application Control Rule Sets
    list, click the drop-down arrow in the
    column for the rule set, and click
    Test (log only)
For more information, see:
Step 2: Apply the Application and Device Control policy to computers in your test network
If you created a new Application and Device Control policy, apply the policy to clients in your test network. See:
Step 3: Monitor the Application Control log
After you run your rule sets in test mode for a period of time, check the logs for any errors. In both test mode and production mode, application control events are in the Application Control log in
Symantec Endpoint Protection Manager
. On the client computer, application control and device control events appear in the Control log.
You might see duplicate or multiple log entries for a single application control action. For example, if explorer.exe tries to copy a file, it sets the write and delete bits of the file's access mask.
Symantec Endpoint Protection
logs the event. If the copy action fails because an application control rule blocks the action, explorer.exe tries to copy the file by using only the delete bit in the access mask.
Symantec Endpoint Protection
logs another event for the copy attempt. See:
Step 4: Change the rule set back to production mode
When the rules function like you expect them to, change the rule set back to production mode.