Often threats use the "C:\Documents and Settings\%UserProfile%\Local Settings\Application Data" location to lauch the files. It is easy to allow few known Exe's than blocking new threats as and when they are detected. You may choose either option that best suits you. Option 1: If you wish to block all Exe's and allow known Exe's from %UserProfile%, follow the steps mentioned in Part 1 and Part 2. Option 2: If you wish to block known Exe's from %UserProfile% follow the steps mentioned only in Part 1 with a slight change in Step 9. Type the name of the known file to be blocked. For example if the file name is FakeAv.exe the string would be %userprofile%\*\FakeAv.exe You might consider to go with Option 1 if the threat is mutating itself. Warning: If you choose to go with Option 1, please implement the policy on a test machine and test your business applications as the policy might crash the application in production environment. The application might use the UserProfile Temp folder to launch some Exe's. Configuring the policy. Part 1: Blocking all Exe's from %userprofile% Part 2: Excluding or allowing genuine or legitimate Exe's from %userprofile% Requirements:
1. Managed SEP 11.0 client with Proactive Threat Protection and Network Threat Protection. Part 1: Blocking all Exe's from %userprofile% Please refer the screenshot. Login to SEPM Console and Open the Application and Device Control Policy. Edit or create a new policy. Step 1: Login to the SEPM console and click on the Policies tab. Step 2: Click on Application and Device Control. Step 3: Edit the existing policy or Add a new policy by right clicking. Step 4: Click on Application Control. Step 5: Check the Block application from running. Step 6: Click Edit. Step 7: Click on Block these applications Step 8: Click on Add Step 9: Type %userprofile%\*\*.exe in the text box. (This means any exe found in any folder under %userprofile%). Step 10: Click on Ok. Part 2: Excluding or allowing genuine or legitimate Exe's from %userprofile% Step 11: Click Add Step 12: Type the name of the geniune application. For example %userprofile%\*\notepad.exe Step 13: Click Ok. Step 14: Click Ok. Step 15: Click Ok. If you have edited an existing policy in Step 3, the policy is applied to the existing group with the changes. If you added a new policy, you will get a prompt saying "Would you like to assign this policy" Click Yes and select the desired group. Note: If you want this policy for an unmanaged client then, create a test group and assign the policy to the group. Export unmanaged client including the policies of the group. Please review the LiveUpdate policy as well for the test group.
Hope you all find this useful
I have implemented this on my system and i must say, the amount of cases which we now experience has now decreased to the point of where viruses seem to no longer being a problem (now iv said that, iv probably cursed myself to all manor of infections and outbreaks) (hopefully not touch wood)!!
HOWEVER with that said, i did have a virus yesterday that installed itself to the local user profile (C:\Documents and Settings\USERNAME), but RAN the EXE from the C:\Documents and Settings\ALL USERS directory. So in addition, i would suggest that you also add C:\Documents and Settings\All Users\*\*.exe to your list of process to be included/blocked.
I am getting tourble with the SEPM 11 RU6 Application and device control. I created the Policy as following to prevent domain user running portable application and game from "user profile" and it works. But the problem is when user rignt click on that file and use "Run as" command, it bypass the policy. Please help me to solve it. Many Thanks, Tommy
RU6 MP1
What version of SEP did you use?
I'll try and let you know..
Have you gotten ADC to work on unmanaged clients? I have not. I tried creating a group and set up ADC for that group and exported policies but it did not work.