Purpose: To prevent attacks against VMware App Volumes.
Description: Prevents attackers from impersonating or writing to VMware App Volumes AppStacks while still allowing writable areas to be modified.
Enabled by Default: | No |
Platform: | Windows |
Minimum Agent Version Required: | 8.7.4 |
Use Cases
<Add info>
Rapid Config Settings
As with most rapid configs, you can:
- Enable or disable the rapid config.
- Specify which policies the rapid config applies to.
- Protect writes to App Volumes locations
-
Block writes to the specified VMware App Volumes locations except by specific processes and to specific subdirectory locations.
This heading is displayed for information purposes.
- Report or Block Writes:
-
Should file writes to the specified VMware App Volumes locations be reported or blocked?
You should validate that legitimate writes would not be blocked before enabling blocking.
- Block Writes Here:
-
File writes here will blocked unless allowed by the subsequent rules. You can add and remove items from the list.
- c:\SnapVolumesTemp\MountPoints\*
- c:\{00000000-0000-0000-0000-000000000000}\svroot\snapvolumestemp\mountpoints\*
- Do Not Block Writes By This Process And Publisher To The Above Locations:
-
File writes by this process to the above location will not be blocked when the process is signed by the publisher below. Svservice is an App Volumes process. The selection is svservice.exe. You can add and remove items from the list.
- Process Publisher:
-
File writes by the above process to the above location will not be blocked if the process is signed by this publisher.
This is a single value field. The value can contain wild cards. For example *Microsoft* would mean all publisher names that contain the word Microsoft.
- Do Not Block Writes By These Processes To The Above Locations:
- File writes by these processes will not be blocked. No values are specified. You can add and remove items.
- Do Not Block Writes Here By Any Process:
-
File writes to this location by any process will not be blocked. These are the locations for temporary and writable volumes.
- c:\SnapVolumesTemp\MountPoints\{????????-????-????-????-????????????}\?*
- c:\{00000000-0000-0000-0000-000000000000}\svroot\snapvolumestemp\mountpoints\{????????-????-????-????-????????????}\?*
- Settings Apply To:
- By default, the settings apply to all current and future policies. Alternatively, you can select Selected Policies and choose from the list.