Quick question I thought I would run across the forum to see if anyone else has done this before. We have a group in EPO that we have built for use on virus outbreaks. I have a task set up to push the Stinger install and then scan the system with it, along with a full system scan using High heuristics settings. I wanted to add a custom rule in the Access Protection that would shut off access to any network shares as well as any internet access. I have the Anti-rirus Outbreak control set to block on make all shares read only and block read and write access to all shares, but that doesn't appear to even work once the policy applies. Anyone done anything like this before or is there a better way to do it? Trying to automate the process more and isolate the infected systems until someone can get to the system and pull it off the network for scanning. Thanks!
You can do it under Access Protection > User defined rules.
For Network Shares > File and folder rule
Any Internet Access > Port blocking rule where you can add http and https port to block outbound.
Basically I already have that exact setup for the Port blocking rule already installed. For the Port blocking rule I have * for processes to include, Starting Port as 1 and Ending Port as 51515, and both inbound and outbound checked. I wasn't quite sure of what to put on the file or folder name in the File and Folder rule. Assuming we have a F:\, G:\, H:\, and M:\ shares, would I put in the following: F:\*, G:\*, H:\*, M:\* and then check all the File actions? Thanks again!
That didn't work so I figured I would narrow the focus to start off with by choosing network drive H:. If I open up the Access Protection on the client itself and edit the Block all Network Shares User defined rule I made, when I click on the browse folder button and choose the H:\ drive, it gives the syntax of H:\** I went ahead and changed the rule on the EPO side to use that syntax and it is definitely pulling it down on the client side, but I can still get to the share. I have * for processes to include, H:\** for file or folder name to block, and all the boxes checked at the bottom. Is there a time that I need to wait or is it after a restart that it will start the blocking?
Sometimes VSE wil not get the name like the H:\ drive and it will get like virtual_device....
Make sure that the folder is detected as H:\ for VSE.
The easy way is to test an Eicar in that device and under the detection name you will see how is detected the H:\ drive.