You can create memory rules that apply to all Windows computers, regardless of which user and what process attempts to access the process you specify. You can also create a more focused scope for a rule by specifying one or more of the following criteria.
- Source-process-specific – You can make a rule apply only when a particular source process attempts to access the target process you are monitoring or protecting.
- User- or group-specific – You can make the rule apply only to a particular user or group of users.
- Policy-specific – You can choose to limit a rule to computers in specified policies.
- Server-specific –If you have Unified Management enabled, you can limit a rule to computers reporting to specified servers in the management group. For more details, see Unified Management of Rules.
- Rule order – Memory rules are evaluated in order of Rank, a column that is displayed by default on the Memory Rules table.The rule ranked ‘1’ has the highest rank. You can change the order of rules to have a more specific rule evaluated before a more general one.
For example, you can create a rule that applies when a particular user attempts to access a process, and put that before a rule that applies when any other user attempts to access the process.
For more details, see Change the Rank of a Memory Rule.
- Conditional Macros – You can use certain macros to restrict the conditions under which specific parameters in rules are applied. Only agents meeting the “test” described in the macro attempt to match the parameter prefixed with the macro. Most of these macros are
OnlyIf
macros with different arguments, such as<OnlyIf:OSVersionIs:10.6.8>
and<OnlyIf:HostName:*SMITH-1*>
.
There are certain restrictions on where memory rules are effective:
- A memory rule cannot be used to protect a process from itself.
For example, you cannot create a rule that prevents a process from terminating itself, or from modifying its own memory.
- Memory rules are not supported on Mac or Linux computers, or computers running Windows Server 2003 64-bit.
- Kernel Memory Access rules are supported only on computers running Windows XP.
- Dynamic Code Execution rules are supported only on 32-bit versions of Windows XP, Windows 2003, Windows Vista, and Windows 7. They are not supported on any 64-bit Windows operating systems, nor are they supported on any Windows 8 or 10 versions.
- For computers in Visibility mode policies, memory rules that block writing or prompt users for a decision act as report-only rules, and do not block or prompt.