|
|
|
|
|
|
Parameter
|
Setting
|
Value
|
Description
|
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
Configuration
|
Container for the Configuration section
|
||||||||||
|
Feature
|
Container for the Feature section
|
||||||||||
|
ApplicationLockDown
|
LockDownMode
|
1
|
Turn on Application Lockdown
|
||||||||
|
2
|
Turn off Application Lockdown
|
||||||||||
|
WhiteList
|
RecentHistoryUnapprovedFilesLimit
|
0 - 65535
|
Maximum number of entries in the Blocked Files log
|
||||||||
|
ExclusionList
|
Container for the Exclusion for Approved List
initialization section
|
||||||||||
|
Folder
|
<folder_path>
|
Exclusion folder path
|
|||||||||
|
Extension
|
<file_extension>
|
Exclusion file extension
|
|||||||||
|
ScriptLockDown
|
Enable
|
yes
|
Enable Script Lockdown
|
||||||||
|
no
|
Disable Script Lockdown
|
||||||||||
|
Extension
|
ID
|
<file_extension>
|
File extension for Script Lockdown to block
For example, specify a value of MSI
to block .msi files.
|
||||||||
|
Interpreter
|
<file_name>
|
Interpreter for the specified file extension
For example, specify msiexec.exe as the interpreter for
.msi files.
|
|||||||||
|
TrustedUpdater
|
Container for the TrustedUpdater section
|
||||||||||
|
PredefinedTrustedUpdater
|
Enable
|
yes
|
Enable Trusted Updater
|
||||||||
|
no
|
Disable Trusted Updater
|
||||||||||
|
RuleSet
|
Container for RuleSet conditions
|
||||||||||
|
Condition
|
ID
|
<unique_ruleset_name>
|
Unique name for the set of rules
|
||||||||
|
ApprovedListCheck
|
Enable
|
yes
|
Enable hash checks for programs executed using the Trusted Updater | ||||||||
|
no
|
Disable hash checks for programs executed using the
Trusted Updater
|
||||||||||
|
ParentProcess
|
Path
|
<process_path>
|
Path of the parent process to add to the Trusted Updater
List
|
||||||||
|
Exception
|
Path
|
<process_path>
|
Path to exclude from the Trusted Updater List
|
||||||||
|
Rule
|
Label
|
<unique_rule_name>
|
Unique name for this rule
|
||||||||
|
Updater
|
Type
|
process
|
Use the specified EXE file
|
||||||||
|
file
|
Use the specified MSI or
BAT file
|
||||||||||
|
folder
|
Use the EXE,
MSI or BAT files in
the specified folder
|
||||||||||
|
folderandsub
|
Use the EXE,
MSI or BAT files in
the specified folder and its subfolders
|
||||||||||
|
Path
|
<updater_path>
|
Trusted Update path
|
|||||||||
|
ConditionRef
|
<condition_ID>
|
Condition ID to provide a more detailed rule for the
Trusted Updater
|
|||||||||
|
WindowsUpdateSupport
|
Enable
|
yes
|
Allow Windows Update to run on the managed endpoint when
it is locked down.
|
||||||||
|
no
|
Block Windows Update on the managed endpoint when it is
locked down.
|
||||||||||
|
DLLDriverLockdown
|
Enable
|
yes
|
Enable DLL/Driver Lockdown
|
||||||||
|
no
|
Disable DLL/Driver Lockdown
|
||||||||||
|
ExceptionPath
|
Enable
|
yes
|
Enable exception paths
|
||||||||
|
no
|
Disable exception paths
|
||||||||||
|
ExceptionPathList
|
Container for the Exception List
|
||||||||||
|
ExceptionPath
|
Path
|
<exception_path>
|
Exception path | ||||||||
|
Type
|
file
|
Use only the specified file
|
|||||||||
|
folder
|
Use the files in the specified folder
|
||||||||||
|
folderandsub
|
Use the files in the specified folder and its
subfolders
|
||||||||||
|
regexp
|
Use an exception using the regular expression
|
||||||||||
|
TrustedCertification
|
Enable
|
yes
|
Enable using Trusted Certifications
|
||||||||
|
no
|
Disable using Trusted Certifications
|
||||||||||
|
PredefinedTrustedCertification
|
Type
|
updater
|
File signed by this certificate is treated as a Trusted
Update
|
||||||||
|
lockdown
|
File signed by this certificate is not treated as a
Trusted Update
|
||||||||||
|
Hash
|
<SHA-1_hash_value>
|
SHA1-hash value of this certificate
|
|||||||||
|
Label
|
<label>
|
Description of this certificate
|
|||||||||
|
Subject
|
<subject>
|
Subject of this certificate
|
|||||||||
|
Issuer
|
<issuer>
|
Issuer of this certificate
|
|||||||||
|
TrustedHash
|
Enable
|
yes
|
Enable using the Trusted Hash List
|
||||||||
|
no
|
Disable using the Trusted Hash List
|
||||||||||
|
PredefinedTrustedHash
|
Type
|
updater
|
File matched by this hash value is treated as a Trusted
Update
|
||||||||
|
lockdown
|
File matched by this hash value is not treated as a
Trusted Update
|
||||||||||
|
Hash
|
<SHA-1_hash_value>
|
SHA-1 hash value of this file
|
|||||||||
|
Label
|
<label>
|
Description of this file
|
|||||||||
|
AddToApprovedList
|
yes
|
Add the file matched by this hash value to the Approved
List when it is accessed for the first time
|
|||||||||
|
no
|
Do not add the file matched by this hash value to the
Approved List
|
||||||||||
|
Path
|
<file_path>
|
File path
|
|||||||||
|
Note
|
<note>
|
Add a note for the file matched by this hash value
|
|||||||||
|
WriteProtection
|
Enable
|
yes
|
Enable Write Protection
|
||||||||
|
no
|
Disable Write Protection
|
||||||||||
|
ActionMode
|
0
|
Allow actions such as edit, rename, and delete
|
|||||||||
|
1
|
Block actions such as edit, rename, and delete
|
||||||||||
|
ProtectApprovedList
|
yes
|
Enable protection of the Approved List (in addition to
the Write Protection List) when Write Protection is enabled
|
|||||||||
|
no
|
Disable protection of the Approved List (in addition to
the Write Protection List) when Write Protection is enabled
|
||||||||||
|
List
|
Container for the Write Protection List
|
||||||||||
|
File
|
Path
|
<file_path>
|
File path
|
||||||||
|
Folder
|
Path
|
<folder_path>
|
Folder path
|
||||||||
|
IncludeSubfolder
|
yes
|
Use the files in the specified folder and its
subfolders
|
|||||||||
|
no
|
Use the files in the specified folder
|
||||||||||
|
RegistryKey
|
Key
|
<reg_key>
|
Registry key
<reg_key> can be abbreviated or expanded as shown below:
|
||||||||
|
IncludeSubkey
|
yes
|
Include any subkeys
|
|||||||||
|
no
|
Do not include any subkeys
|
||||||||||
|
RegistryValue
|
Key
|
<reg_key>
|
Registry key
<reg_key> can be abbreviated or expanded as shown below:
|
||||||||
|
Name
|
<reg_value_name>
|
Registry value name
|
|||||||||
|
ExceptionList
|
Container for the Write Protection Exception List
|
||||||||||
|
Process
|
Path
|
<process_path>
|
Path of the process
|
||||||||
|
File
|
Path
|
<file_path>
|
File path
|
||||||||
|
Folder
|
Path
|
<folder_path>
|
Folder path
|
||||||||
|
IncludeSubfolder
|
yes
|
Use the files in the specified folder and its
subfolders
|
|||||||||
|
no
|
Use the files in the specified folder
|
||||||||||
|
RegistryKey
|
Key
|
<reg_key>
|
Registry key
<reg_key> can be abbreviated or expanded as shown below:
|
||||||||
|
IncludeSubkey
|
yes
|
Include any subkeys
|
|||||||||
|
no
|
Do not include any subkeys
|
||||||||||
|
RegistryValue
|
Key
|
<reg_key>
|
Registry key
<reg_key> can be abbreviated or expanded as shown below:
|
||||||||
|
Name
|
<reg_value_name>
|
Registry value name
|
|||||||||
|
CustomAction
|
ActionMode
|
0
|
Ignore blocked files or processes when Application
Lockdown blocks any of the following events:
|
||||||||
|
1
|
Quarantine blocked files or processes when Application
Lockdown blocks any of the following events:
|
||||||||||
|
2
|
Ask what to do for blocked files or processes when
Application Lockdown blocks any of the following events:
|
||||||||||
|
UsbMalwareProtection
|
Enable
|
yes
|
Enable USB Malware Protection
|
||||||||
|
no
|
Disable USB Malware Protection
|
||||||||||
|
ActionMode
|
0
|
Allow action by detected malware
|
|||||||||
|
1
|
Block action by detected malware
|
||||||||||
|
DllInjectionPrevention
|
Enable
|
yes
|
Enable DLL Injection Prevention
|
||||||||
|
no
|
Disable DLL Injection Prevention
|
||||||||||
|
ActionMode
|
0
|
Allows DLL injections
|
|||||||||
|
1
|
Blocks DLL injections
|
||||||||||
|
ApiHookingPrevention
|
Enable
|
yes
|
Enable API Hooking Prevention
|
||||||||
|
no
|
Disable API Hooking Prevention
|
||||||||||
|
ActionMode
|
0
|
Allow API hooking
|
|||||||||
|
1
|
Block API hooking
|
||||||||||
|
MemoryRandomization
|
Enable
|
yes
|
Enable Memory Randomization
|
||||||||
|
no
|
Disable Memory Randomization
|
||||||||||
|
NetworkVirusProtection
|
Enable
|
yes
|
Enable Network Virus Protection
|
||||||||
|
no
|
Disable Network Virus Protection
|
||||||||||
|
ActionMode
|
0
|
Allow action by detected network viruses
|
|||||||||
|
1
|
Block action by detected network viruses
|
||||||||||
|
IntegrityMonitoring
|
Enable
|
yes
|
Enable Integrity Monitoring
|
||||||||
|
no
|
Disable Integrity Monitoring
|
||||||||||
|
StorageDeviceBlocking
|
Enable
|
yes
|
Blocks access of storage devices (CD/DVD drives, floppy
disks, and USB devices) to managed endpoints
|
||||||||
|
Disable
|
no
|
Allows access of storage devices (CD/DVD drives, floppy
disks, and USB devices) to managed endpoints
|
|||||||||
|
ActionMode
|
0
|
Allow actions such as edit, rename, and delete
|
|||||||||
|
1
|
Block actions such as edit, rename, and delete
|
||||||||||
|
Log
|
Container for configuring logs
See Log Section.
|
||||||||||
|
FilelessAttackPrevention
|
Enable
|
yes
|
Enable Fileless Attack Prevention
|
||||||||
|
no
|
Disable Fileless Attack Prevention
|
||||||||||
|
ExceptionList
|
Container for the Fileless Attack Prevention Exception
List
|
||||||||||
|
Exception
|
Target
|
<monitored process>
|
Specify powershell.exe,
wscript.exe,
CScript.exe, or
mshta.exe
|
||||||||
|
Label
|
<label>
|
Unique name of this exception
|
|||||||||
|
Arguments
|
<arguments>
|
Arguments to be approved
|
|||||||||
|
Regex
|
yes
|
Specify yes if argument includes a
regular exception
|
|||||||||
|
no
|
Specify no if argument does not include
a regular exception
|
||||||||||
|
Parent1
|
<parent process>
|
Parent process of the monitored process
|
|||||||||
|
Parent2
|
<grandparent process>
|
Grandparent process of the monitored process
|
|||||||||
|
Parent3
|
<great grandparent process>
|
Great grandparent process of the monitored process
|
|||||||||
|
Parent4
|
<great great grandparent
process>
|
Great great grandparent process of the monitored
process
|
|||||||||