1. Your question in a screenshot: Should this be blank? <yes, this blank field only shows entries, when you put Host IPS in Adaptive mode and it creates locally-learned client rules exceptions.
2. Your subrule is setup for FILES - C:\TEST, yet you created a directory called C:\TEST. The signature should be blocking operations to a file called TEST (no extension) in the root of C:\. Did you mean instead C:\TEST\* files? Modify your rule to include files in the C:\TEST directory, and not a file called TEST in C:\.
Kary, thank you ever so much - this was indeed the correct answer and IPS is now triggering as expected for file deletes on protected folders!
I have, however, got another question if you wouldn't mind a further question?
I have setup a rule to prevent the service termination of our power management software, Verdiem Surveyor, however, it only triggers upon trying to uninstall the software.
If I go to Start -> Run -> Services.msc and then stop the service from there, it doesn't get prevented as I would expect.
Couple of things I can think of:
1) Is services.msc is a "trusted application" in terms of IPS with the default policy (if so, what would I need to do to change that?)
2) I added Verdiem Surveyor itself as a trusted application (although I would say this would have allowed the service to be terminated via uninstalling it)
3) I have tried both the "Service Name" and "Display Name" options from the rule (putting the correct entry in as required) but each yields the same result
I've added some screenshots again to help illustrate the issue
Many thanks again in advance!