SEPM AppDevCtrl acts as a versatile swiss army-knife, and can be used as a precision tool as well as a general solution. Take care when using it, as it's easy to break your system with a misconfigured rule.
The policies described here place strong rules in effect, it is recommended, that only „Testing mode” is active first – and also on a test system.
After testing, mass distribution of this ruleset can be orchestrated with SEPM Group Management.
Here follows, how to defend critical files (Word and Excel documents, etc.) of an enterprise, from unauthorized access, like a CryptoLocker or Ransomware encryption. Make an Application Control rule with the following in mind:
Monitor every process, except Word, Excel, Windows processes, SEP processes, and legit enterprise applications, like a filing app
Monitor the non-whitelisted processes's file accesses. If the file is a *.doc, *.docx, *.xls or *.xlsx block the access, else allow it.
From testing logs, we can tune our whitelist. After there are no denies in the log on valid applications, distribute the rule to the production system. It is also recommended to run only in test mode for a few days on the live system – there might be legit processes trying to access these files, that did not occur in the test environment.
Naturally the surveilled files/extensions can be broadened, but keep in mind to broaden the whitelisted applications also – and re-test the rule after changes.
You can find the settings for sending mail to administrators at the following link:
https://www-secure.symantec.com/connect/articles/d...
at section 2: "Create a "Notification condition" under Monitors/Notifications:"