2 Replies Latest reply: Jun 6, 2014 8:24 PM by rmetzger RSS

    Folder Exclusions

    michael_w_c

      Trying to exclude creation or modification of files in the user startup direcrory.  It's not working.  Any ideas?

       

      exclusion.jpg

        • 1. Re: Folder Exclusions
          mcafeenewb

          I don't recall if the filed "file or folder name to block" can use environmental variables.  Try something like this:

          **\Start Menu\Programs\Startup\**

           

          Translates to: anything before and after (including slashes) with that folder path would match.

          • 2. Re: Folder Exclusions
            rmetzger

            Hi Michael_w_c

            michael_w_c wrote:

             

            Trying to exclude creation or modification of files in the user startup direcrory.  It's not working.  Any ideas?

             

            exclusion.jpg

            Based on your 'File or Folder name to block:' your exclusion would convert to this (on Win7):

            C:C:\Users\{userprofilename}\Start Menu\Programs\Startup\

             

            C:C: is a problem.

             

            The folders you wish to block:

             

            Under Windows 7:

            C:\Users\{UserID}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

             

            On WinXP:

            C:\Documents & Settings\{UserID}\Start Menu\Programs\Startup\

             

            However, there is a public/All Users Startup folder as well:

             

            On Windows 7:

            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

             

            On WinXp:

            %AllUsersProfile%\Start Menu\Programs\Startup\

             

            Note: the common theme is \Start Menu\Programs\Startup\

             

            To avoid making multiple Exclusions and covering each exclusion in one rule, try:

             

            **\Start Menu\Programs\Startup\

             

            Using the 'File actions to Prevent' section, Check 'Write access to files' and 'New files being created' as in your example. This will exclude the construction or changes to files on any drive down to any directory that ends in \Start Menu\Programs\Startup\

             

            Be aware that this rule may create issues with some legitimate software. Further, this is only stops one method for automatic startup of software. Consider the many many methods that SysInternal's 'AutoRuns' software lists for auto-startup methods.

             

            In any case, Test, test, test. Then follow up with more testing.

             

            A more effective approach might be to limit user rights, limiting the ability to install software (thru GPO purhaps). In this case do not give users Admin rights, or Power User rights.

             

            Purhaps 'McAfee Application Control' is another option.

             

            Good luck,

            Ron Metzger