How to prevent programs from running by blocking the file extension types from removable drives.

book

Article ID: 177512

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to know how to create a rule that will block specific extensions from running from removable drives.

Symptoms
You want to know how to create a rule that will block specific extensions from running from removable drives.


Cause

You want to know how to create a rule that will block specific extensions from running from removable drives.

Resolution

How to prevent programs from running by blocking the file extension types from removable drives.

    Adding external USB drives to the Hardware Devices list

    · Open the Symantec Endpoint Protection Manager
    · Click on Policies
    · Expand Policy Components
    · Click on Hardware Devices
    · Click Add a Hardware Device...
    · In the Device Name: field chose a name for your custom device identifier <Note: This can be anything>
    · Click the radio button next to Device ID:
    · Type the following in the Device ID: field: USBSTOR\* ... Note: This must be all capitol letters and must be spelled correctly
    · Click OK
      How to create a rule to block extensions from running from removable drives.
        · Click on Policies
        · Click on Application and Device Control
        · Click Add an Application and Device Control Policy...
          · or highlight the policy that you wish to use in the left side pane
          · then click Edit the Policy
        · Highlight Application Control
        · Check the box next to Block programs from running from removable drives
        · Click Edit
        · Under the Rules column choose Add > Add Condition File > Folder Access Attempts
        · The File and Folder Access Attempts must be highlighted
        · On the Properties tab Enable this condition should be checked
        · Under Apply this rule to the following files and folders:
        · Click Add
        · In the File or Folder Name To Match field type the extension type that you are trying to block
          · *.exe for executable extensions, or *.txt for standard text files, etc.
        · The radio button next to Use wildcard matching(* and ? supported) should be checked
        · Check the box next to Only match files on the following device id type
        · Click Select button
        · Click on to the <Device Name:> that you created in the above step.
        · Click OK, Click OK again
        · Select the Actions tab
        · In the Read Attempt column choose Block access
        · Check the box next to Notify User:
        · Create a notification by typing something in the field Note: this can be what ever you want
        · In the Create,Delete,or Write Attempt column choose the radio button next to Block access
        · Check the box Notify User:
        · Create a notification by typing something in the field Note: this can be what ever you want
        · Click OK
        · Click OK again
        · Click Yes in the Assign Policy
        · Click each box next to the groups that you would like to assign this policy to
        · Click Assign
        · Click Yes
        · Reboot clients after they have received the policy for the changes to take effect

        Note: This will work on a 32bit server but will not work on a 64bit server. All features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection


        Note: This will work on all workstations but all features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection