1. You have a BHO that loads when user logs in and you want to know how to block it.
2. You want to be able to prevent new BHOs from loading.
3. You want to log all BHOs in the environment.

1. Log into Symantec Endpoint Protection Manager console
2. Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
3. In application control, add a rule set. "Block BHOs"
4. Make it apply to all processes using the * in the upper dialog
5. Under Rules click to Add and choose Add Condition
6. Choose Registry Access Attempts
7. Under Apply to the following registry keys click Add
8. In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
9. Click OK
10. In the Actions tab
11. Set Read Attempt to "Continue processing other rules"
12. Set Create, Delete, or Write Attempt to "Block access"
13. Click the boxes for Enable Logging
14. Click OK

1. Log into Symantec Endpoint Protection Manager console
2. Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
3. In application control, add a rule set. "Log BHOs"
4. Make it apply to all processes using the * in the upper dialog
5. Under Rules click to Add and choose Add Condition
6. Choose Registry Access Attempts
7. Under Apply to the following registry keys click Add
8. In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
9. Click OK
10. In the Actions tab
11. Set Read Attempt to "Allow access"
12. Set Create, Delete, or Write Attempt to "Allow access"
13. Click the boxes for Enable Logging
14. Click OK