So I have success when creating a Removable Storage Access File Device Rule to block .exe's from being launched from removable media... however I cannot figure out how to allow user's to run the .exe locally from their machine. I would like to allow users to drag and drop the .exe to their desktop to run, but block on their removable storage devices... (like portable web browsers for example).
Also, if anyone knows how to configure the rule to successfully show what exectuables are being launched or attempted to launch, so that we can effectively data mine and write procedures and rules accordingly or whitelist a high demand .exe people need to run. Right now i can configure my RSAFD rule to monitor mode but cannot see what executables are being launched.
I am afraid to inform you that the file can't be allowed to drag and drop.
Secondly, evidence option is not applicable for device rules hence, file name can't be viewed in incident manager.
Just to give little more information about the functionality of the rule:
Removable Storage File Access Device Rule generates incidents on device plug only considering the plugged device matches device definition in the rule - plug event will be generated.
DLP blocks access to device or make the device read-only without generating any incidents after it. This Behavior is by design. This will mean DLP won't create a false monitor incident - you can see that incident type is device plug incident.(not file access block). The device rule will block access to .exe files (or another type of files which user defined in the rule) but no incident will be sent.
The reason for this behavior is the huge number of file access operations that OS does. Many different running processes (like explorer.exe) will try to access blocked files. If we will send notification for every file access user can see hundreds of notifications in a minute.
Hope, this is helpful and addresses your query.
JaganA McAfee Employee
Was my reply helpful? If yes, click "Accept as Solution" in my reply and together we can help other members?