You want to protect a file (or multiple files) from being written to or renamed. This can be done using the Application and Device Control policy of Symantec Endpoint Protection using the following steps.
- In the Symantec Endpoint Protection Manager, go to the Policies > Application and Device Control policy section. Right click on the Application and Device Control policy and select Edit...
- Once the policy editor opens, select Application Control then click Add...
- Under the properties for Rule 1, under "Apply this rule to the following processes", select Add
- In the process name to match, type * (asterisk), then click OK
- Under "Do not apply this rule to the following processes", use the same process as steps 3-4 to add any processes you want to exclude from this rule (eg. Add processes here that you want to be able to write to these files)
- Right click the rule, select Add Condition > File and Folder Access Attempts.
- Under the properties for "File and Folder Access Attempts", under "Apply this rule to the following processes", select Add
- In the process name to match, type the full path to the file (wildcards can be used here), then click OK
Repeat steps 7-8 for all files that need protection
- For "File and Folder Access Attempts", select the Actions tab, then select Block access for "Create, Delete, or Write Attempt". Set logging here if needed.
- Click OK to save the rule set
- Ensure the rule set is enabled and set to be used in Production, then click OK to save the policy
Assign the Application and Device control policy to the groups you want to protect. Once the client checks in and gets the policy it should now protect those files. If Application and Device control was disabled previously the client may prompt for a reboot.