I need a solution
I've been doing testing on System LockDown using Whitelist Mode Application Lists.
Instead of using an automatically generated File Fingerprint List I'm just letting the system run in Log Unapproved Applications mode for a few days.
When I review the test client's Control Log for events titled LockDown and add an individual exception from the Target column using a wildcard format, I'm not seeing expected changes.
ADD FILE DEFINITION The Name Can Include Environment Variables, Wildcards(*,?), and registry keys. Examples: %windir%\system32\* or C:\windows\*.exe File Name To Match %LOCALAPPDATA%\GoToMeeting\*\*Use Wildcard Matching(* and ? supported)EnabledOnly Match Files on the Following Drive TypesEnabledLocal Fixed Disk DriveEnabled
Can someone tell me why this Individual File Name exception isn't working as expected? I'm still getting the below entry as Blocked by LockDown.
CONTROL LOG ENTRYDate and Time 10/4/2017 3:34:00 PMSeverity 1Action BlockTest Mode Test ModeDescription System Lockdown - Caller MD5=36f670d89040709013f6a460176767ec - Target Arguments=""API Create ProcessRule Name LockDownIP Address 10.10.18.134Caller Process ID1796 Caller Process C:\Windows\System32\svchost.exeDevice Instance ID SCSI\Disk&Ven_ATA&Prod_WDC_...Target C:\Users\BWLabUser\AppData\Local\GoToMeeting\7716\g2mupdate.exeFile Size 31,808 BytesUser SYSTEMUser Domain BWLabLocation Default
0