Generate application behavior rules from behavior recording
Whenever applications require access that is not apparent to the user (writing temporary files, creating configuration files or caches, etc.), DriveLock records these background actions and allows you to control them.
To have application behavior rules generated automatically from the result of the behavior recording, proceed as follows:
-
In the context menu of the application behavior rules under All Tasks, click the menu item Generate behavior rules from the application behavior recording... .
-
Select the data source for the recording results in the following dialog. This information can be obtained from the DriveLock Agent on the local or remote computer or from a pre-existing results file.
-
In the next dialog you configure the following:
- Select an application (or multiple applications) and specify whether to use the entire path or only the file regardless of where it is stored. For example, for browsers we recommend that you use the name without the path.
- Specify the access modes you want to create rules for and whether or not to combine multiple files using wildcards. Never is recommended for the Execute access mode, because it involves only a limited number of files (and rules to be created from them) that do not require combining. However, when writing files, it always makes sense to use wildcards and not to create rules for each individual file written (even if the number is low).
-
In the next step, the rules generated automatically are displayed as Autogenerated rule in the node Application behavior rules. The Reaction tab shows that the executing application is allowed (Allow), all other accesses are blocked.
Tip: Create a separate folder for these application behavior rules so that they can be easily distinguished from the existing ones.
Summary: Creating application behavior rules automatically provides a much leaner and clearer set of rules and reduces the time spent on monitoring or analyzing events.