Notifications that include suspicious pathname entries have a Directories tab on their External Notification Details page, providing information about the directories that might be compromised.

On this tab, you can select one or more keys and:

  • Ban the process that tried to access the directory
  • Remove previously created process bans or approvals
  • Create a Custom Rule to control access to this location

Process bans created in this context are similar to file bans created on any of the Files tabs. The Custom Rule command provides different options.

Procedure

  1. In the Notification Details page of interest, click the Directories tab.
  2. Check the boxes next to the Directories for which you want to create a rule.
  3. On the Action menu, click Create Custom Rule. The Add Custom Rule page appears, with rule name and settings already filled in with details from the notification.

    By default, a rule created in this way blocks writes to the named directories by the processes identified in the notification, and does this for all users and all policies. You can modify these settings before you save the rule. Among the options on the Execute Action menu, you can select Report, which means that activity at this location is reported but not blocked. If you are unsure of how best to configure a rule, see Creating a Custom Rule. You can Cancel the rule without saving it if you would like to investigate rules parameters first.

    Caution: Some options on the rule menus that Allow activity at the named locations and even Promote processes to have more privileges than they previously did. If you alter the pre-populated values, be careful of your choices on these menus.
  4. Modify the rule as you choose, and then click the Save button. The new rule is created and appears on the Custom tab of the Software Rules page in the console.