cancel
Showing results for 
Search instead for 
Did you mean: 

Folder Exclusions

Jump to solution

Trying to exclude creation or modification of files in the user startup direcrory.  It's not working.  Any ideas?

exclusion.jpg

1 Solution

Accepted Solutions
Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: Folder Exclusions

Jump to solution

Hi Michael_w_c

michael_w_c wrote:

Trying to exclude creation or modification of files in the user startup direcrory.  It's not working.  Any ideas?

exclusion.jpg

Based on your 'File or Folder name to block:' your exclusion would convert to this (on Win7):

C:C:\Users\{userprofilename}\Start Menu\Programs\Startup\

C:C: is a problem.

The folders you wish to block:

Under Windows 7:

C:\Users\{UserID}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

On WinXP:

C:\Documents & Settings\{UserID}\Start Menu\Programs\Startup\

However, there is a public/All Users Startup folder as well:

On Windows 7:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

On WinXp:

%AllUsersProfile%\Start Menu\Programs\Startup\

Note: the common theme is \Start Menu\Programs\Startup\

To avoid making multiple Exclusions and covering each exclusion in one rule, try:

**\Start Menu\Programs\Startup\

Using the 'File actions to Prevent' section, Check 'Write access to files' and 'New files being created' as in your example. This will exclude the construction or changes to files on any drive down to any directory that ends in \Start Menu\Programs\Startup\

Be aware that this rule may create issues with some legitimate software. Further, this is only stops one method for automatic startup of software. Consider the many many methods that SysInternal's 'AutoRuns' software lists for auto-startup methods.

In any case, Test, test, test. Then follow up with more testing.

A more effective approach might be to limit user rights, limiting the ability to install software (thru GPO purhaps). In this case do not give users Admin rights, or Power User rights.

Purhaps 'McAfee Application Control' is another option.

Good luck,

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
2 Replies

Re: Folder Exclusions

Jump to solution

I don't recall if the filed "file or folder name to block" can use environmental variables.  Try something like this:

**\Start Menu\Programs\Startup\**

Translates to: anything before and after (including slashes) with that folder path would match.

Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: Folder Exclusions

Jump to solution

Hi Michael_w_c

michael_w_c wrote:

Trying to exclude creation or modification of files in the user startup direcrory.  It's not working.  Any ideas?

exclusion.jpg

Based on your 'File or Folder name to block:' your exclusion would convert to this (on Win7):

C:C:\Users\{userprofilename}\Start Menu\Programs\Startup\

C:C: is a problem.

The folders you wish to block:

Under Windows 7:

C:\Users\{UserID}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

On WinXP:

C:\Documents & Settings\{UserID}\Start Menu\Programs\Startup\

However, there is a public/All Users Startup folder as well:

On Windows 7:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

On WinXp:

%AllUsersProfile%\Start Menu\Programs\Startup\

Note: the common theme is \Start Menu\Programs\Startup\

To avoid making multiple Exclusions and covering each exclusion in one rule, try:

**\Start Menu\Programs\Startup\

Using the 'File actions to Prevent' section, Check 'Write access to files' and 'New files being created' as in your example. This will exclude the construction or changes to files on any drive down to any directory that ends in \Start Menu\Programs\Startup\

Be aware that this rule may create issues with some legitimate software. Further, this is only stops one method for automatic startup of software. Consider the many many methods that SysInternal's 'AutoRuns' software lists for auto-startup methods.

In any case, Test, test, test. Then follow up with more testing.

A more effective approach might be to limit user rights, limiting the ability to install software (thru GPO purhaps). In this case do not give users Admin rights, or Power User rights.

Purhaps 'McAfee Application Control' is another option.

Good luck,

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community