Here are some key points to consider when implementing LANDESK EPS File Protection Rules:
Explanation of existing rules:
LANDESK self-protection exception: This first listed rule protects two subdirectories and their contents from being added to, modified, overwritten, or executed (except from signed vendors on the trusted list). The two directories are the %LDClient%\Antivirus\Bases\* (which holds the LANDESK® Antivirus pattern files) and the %LDClient%\LDIPMIC.bin file. The selection is also made to Apply to sub-directories too.
LANDESK self-protection: This second listed rule protects six files with read-only access. The six protected files set the LANDESK® Endpoint Security rules for enforcing Application Control, the LANDESK® firewall, and the Device Control Manager. The selection is also made to Apply to sub-directories too.
LANDESK self-protection: This third listed rule protects five directories used by LANDESK® Management Suite, and LANDESK® Security Suite from having other items created in them and from being modified. The selection is also made to Apply to sub-directories too.
LANDESK self-protection: This fourth listed rule protects three files used by Application Control from being modified.
Dangerous file: This fifth listed rule protects scripts to read-only access.
Malicious use of Windows FTP (exception list): This sixth listed rule protects TFTP.EXE and FTP.EXE from being read, modified, overwritten, or executed by programs not specifically allowed, except by programs added to the Programs named field.
Malicious use of Windows FTP: This seventh listed rule protects FTP.EXE and TFTP.EXE from being executed by programs other than those with a signature from a trusted vendor.
Isolation between scripts and mailer: This eighth listed rule protects MSIMN.EXE and OUTLOOK.EXE to only be read by specific programs listed. The specific programs are added to the Programs named field.
Scripts cannot write to the hard-disk: This ninth listed rule stops scripts from being created (including overwritten) and modified except by programs with a signature from a trusted vendor, or from programs added to the Programs named field.
Fake Windows processes: This tenth listed rule protects EXPLORER.EXE from being modified, overwritten, or executed except by trusted files.
DNS host files protection: Protected the HOSTS, LMHOSTS.SAM, and NETWORKS files from being modified or overwritten except by trusted files.
Key points to consider:
1. It requires "Enable application behavior protection" to be enabled in EPS settings, and configured as blocking mode.
2. When creating a file protection rule, if you use * in "Files named" part, it will work for all folders and files; if *.* if used, then it only works for files not folders.
3. The file protection rules are stored in firewall.xml within LANDesk\ManagementSuite\ldlogon\AgentBehaviors\EPSBehavior_CoreName_v***.zip
4. On client machine, LDclient folder is hard-coded to be protected
5. From remote control - File transfer, you could still operate in the protected folder.