I've successfully created an Application Blocking Rule to stop an application from executing but now I'd like to create an exception for a specific AD user group to allow them to run the application. Is this possible in HIPS 7.0.4?
I do not want to use an IPS rule/exception because I have IPS protection set to logging for compatibility and stability reasons.
Unfortunately, there was a limitiation outlined in the Known Issues section of the release notes.
The issue stemmed from an architectural problem that could not be easily corrected in 7.0.
IPS exceptions allow only all users or groups or specified local users to be entered as users. Selecting local groups or domain groups as users is not supported. (364942)
Using AD groups will be fuilly supported in HIP 8.0 due out late Q3 2010.
Yes, you should be able to create exceptions either off the event itself or by running AB in adaptive mode which will automatically create a client rule (exception).
I tried creating an exception off of the event in the log and keep getting a "Create Exception Failed" error, is there a log that will give me more details about the error?
Thanks again for your help.
The "Create Exception" option in the ePO console only works for Host IPS events (not Network IPS or App Blocking events).
You can create a "Trusted Application" rule and mark that application to be trusted by the App Blocking module, for application hooking. This will create an application blocking rule to allow your application.
There is not really "exception" rules for Application Blocking. If you wanted some type of "block all users from executing this application, except for certain users" functionality, you could try creating a custom Host IPS signature to block the "execute" operation, and then use an IPS exception to allow certain users to override this signature.