Blocking files using Application Device Control within the SEPM

book

Article ID: 152188

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How do you block a file using Application Device Control? Does Application Device Control use wildcards?

Resolution

You can add process definitions to Application Device Control rulesets which utilize wildcards.

Process Definition Table from the Symantec Endpoint Protection Manager Help:

Group or Option
Description
    Process name to match
    Type the process name to match with this rule. If you use this option, you cannot use the Match the file fingerprint option, which is available when you click Options.

    You can use environment variables, wildcards, and registry keys. Environment variables are useful when you have the clients that may be running various versions of Windows operating systems. For example, %windir%\calc.exe matches any path to the calc.exe application.

    The following options are available:


      · Use wildcard matching (* and ?supported)
      · Use regular expression matching
      · Only match processes running from the following drive type
    You can check the drive types that you want to match on.


    Note: You cannot block writing to CD or DVD drives even if you select CD/DVD drive .

    For the latest information, see the Symantec Knowledge Base document: After setting up an Application and Device Control policy to block CD writing, CD writing is not blocked as expected, and write attempt is not logged (document 2008042510214848).


      · Only match processes running on the following device id type


    If you do not want to type a device ID type, you can click Select to select a device from the device list. The device list contains the device instance name and the device instance ID.

    Note: An application may have more than one process. You might need to add multiple processes if you want to block or allow a particular application.

    Match the file fingerprint
    This option is available when you select Options. Use this option instead of the Process name to match option.

    A file fingerprint is a checksum of an executable or DLL on a client computer. You can run a utility to generate a file fingerprint list and import this list into the console.

    Only match processes with the following arguments
    This option is available when you select Options. Check this option if you want to include specific arguments in the available text box.

    The following options are available:

    · Match exactly
    · Use regular expression matching