ATM we have in our Global Restriction Settings Action == Notification.
Is it possible to create new restriction policy and force that it is on prevention mode?
I have searched all the places, but I just can't find any kind of button for that.
Because if I create new "Execution path restriction" policy and put there restriction something like this "e:\testing\*.exe" I just get notification to ESM console (and this is of course how it should work).
So basically the questions is "Can I override default behaviour?"
Traps v. 4.0.xx
Items in the Global whitelist section take precedence over any blacklisted items and are evaluated first in the security policy. It means, that if you restricted a path in through the restriction policy, and at the same time it is also in the Global Whitelist, the second configuration is the one that will be triggered.
If you turn the "Action" to Prevention, it means that any path no explicitly whitelisted will be blocked. If you put in notification, any file being executed from a path not explicitly whitelisted, will be notified. You can turn user notification on and off as you know.
One of the advantages of using the Global whitelist is that it gives you the visibility of which applications are potentially running from non authorized locations or that may potentially be malicious. In this case you have to provide the path for the actual executable.
So, in your example, if the e:\testing\*.exe is included in the Global Whitelist, it will take precedence as explained earlier, hence, you cannot have this .exe configured on both sides.
If you want to restrict the executable, do not include in the Global Whitelist, and then create a malware restriction policy instead.
In order to override the default policy you need to create a user defined policy to apply further restrictions.
The malware restriction policy can be configured at the following menu: Policies > Malware >> Restricitions > Add
I have some scripts ready that may help you create these policies in the following link.
I hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!