Symantec
Symantec™ Data Center Security: Server
 Global Policy Options |
| Resource Lists |
| Read-only Resource Lists |
 Block modifications to these files |
 List of files that should not be modified |
 Value="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\MOF Self-Install Directory%%" |
| Value="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\MOF Self-Install Directory%%\*" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| global inbound address list |
| Local IPs (v4 and v6) |
| Local Subnet addresses (v4 and v6) |
| Globally set the default inbound rules to deny. |
| Outbound |
| Components |
| Outbound hosts list |
| global outbound address list |
| Local IPs (v4 and v6) |
| Local Subnet addresses (v4 and v6) |
| Globally set the default outbound rules to deny. |
| Process Logging Options |
| Log process assignment messages |
| Log process assignment command line arguments |
| Global Policy Lists |
| List of executable file extensions [global_exe_extensions_list] |
| Executable File Extensions list |
| *.exe |
| *.bat |
| *.com |
| *.dll |
| *.cpl |
| *.pif |
| *.vbe |
| *.vbs |
| *.shs |
| *.shb |
| *.scr |
| *.cmd |
| *.js |
| *.jse |
| *.wsh |
| *.wsf |
| *.reg |
| *.hta |
| *.ocx |
| *.msc |
| *.msi |
| *.sys |
| *.ps1 |
| *.msp |
| *.msu |
| *.plg |
| *.ime |
| *.Manifest |
| *.drv |
| *.tsp |
| List of processes that services should not start [global_svc_child_norun_list] |
| Processes services should not start list |
| Program="%systemroot%\system32\rundll32.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\cmd.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\cscript.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\java.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\javaw.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\wscript.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\net.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\net1.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\wbem\mofcomp.exe" |
| Program="%systemroot%\system32\ftp.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\tftp.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rcp.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\telnet.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rexec.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rsh.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\mstsc.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\shutdown.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\taskkill.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\netsh.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\arp.exe", SignatureFlags="Q01" |
| Program="%systemroot%\system32\nbtstat.exe", SignatureFlags="Q01" |
| Program="*\osql.exe", SignatureFlags="Q01" |
| Program="*\sqlcmd.exe", SignatureFlags="Q01" |
| Program="*\command.com", SignatureFlags="Q01" |
| Program="*\powershell.exe", SignatureFlags="Q01" |
| Allow services to run these programs if using specific arguments. [global_svc_child_norun_except_list] |
| Exception List |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll* *", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * newdev.dll* *", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d sdengin2.dll,ExecuteScheduledBackup *", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d srrstr.dll,ExecuteScheduledSPPCreation *", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * aepdu.dll,AePduRunUpdate *", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d acproxy.dll,PerformAutochkOperations *", SignatureFlags="Q01" |
| Program="%systemroot%\syswow64\rundll32.exe", Arguments="&ci; %systemroot%\syswow64\rundll32.exe %systemroot%\syswow64\schedsvc.dll* *", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe %systemroot%\system32\schedsvc.dll* *", SignatureFlags="Q01" |
| Program="%systemroot%\syswow64\rundll32.exe", Arguments="&ci; %systemroot%\syswow64\rundll32.exe "%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Content\VirusDefs%%\*\cceraser.dll"* *", SignatureFlags="Q01" |
| Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe "%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Content\VirusDefs%%\*\cceraser.dll"* *", SignatureFlags="Q01" |
| List of modules to route to the Fully Open sandbox [global_fully_open_sandbox_module_list] |
| Modules to route to the Fully Open sandbox |
| %systemroot%\SYSTEM32\GPSVC.DLL |
| Domain Controller Settings |
| Data Protection |
| File Data |
| Block all access to the following files |
| Application data that should not be accessed |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Database file%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory%%\*edb* |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database backup path%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database log files path%%\*.log |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Sysvol%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\Database Directory%%\* |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Working Directory%%\jet\* |
| \Device\HarddiskVolume?\WINDOWS\SYSVOL\* |
| Registry Key Data |
| Block modifications to the following Registry keys |
| Application data that is read-only |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\* |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntds\* |
| Application Sandbox Options |
| Host Security Programs [hsecurity_ps] |
| Basic Options |
| Host Security programs installed |
| List of Host Security programs |
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\Navw32.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\Navwnt.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\SAVScan.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\ccIMScn.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\navapsvc.exe |
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\NAVAPW32.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\OPScan.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\IWP\NPFMntor.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\LuComServer*.EXE |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\NDETECT.EXE |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccApp.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%LiveReg\IRALRSHL.EXE |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%Script Blocking\SBServ.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%SNDSrvc.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%Rtvscan.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%SavRoam.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcagent.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcregwiz.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcupdate.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcupdmgr.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\McShield.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\McVSEscn.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsftsn.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsmap.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsrte.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%csscan.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%Mcshield.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%mcupdate.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%scan32.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.XX\szInstallDir%%Scan.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework\Installed Path%%\FrameworkService.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Application Path%%Tmntsrv.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Application Path%%TSC.EXE |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%TSC.EXE |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%PccNTMon.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%TmListen.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccEvtMgr.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccSetMgr.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccProxy.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccSvcHst.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Symantec Shared Directory%%\CfgWiz.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Savrt%%\DoScan.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SSCADMIN%%Deployment\Server Rollout\SETUP.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SSCADMIN%%Deployment\ClientRemote Installation\clientremote.exe |
| %programfiles%\NAV\rtvscan.exe |
| %programfiles%\CA\etrust EZ Armor\etrust EZ Antivirus\autodown.exe |
| %programfiles%\CA\etrust EZ Armor\etrust EZ Antivirus\vet32.exe |
| %programfiles%\NavNT\rtvscan.exe |
| %programfiles%\McAfee.com\shared\mghtml.exe |
| %programfiles%\Symantec\LiveUpdate\*.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall\smc_install_path%%smc.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%\SymSPort.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%\fio.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveState Recovery\3.0\InstallDir%%Agent\VProSvc.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveState Recovery\6.0\InstallDir%%Agent\VProSvc.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM\TargetDir%%*.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%*.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAV Install Directory%%smc.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\InstallDir%%\AeXNSAgent.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%Reporting Agents\Win32\ReporterSvc.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%SPBBC\SPBBCSvc.exe |
| %programfiles%\Symantec\Symantec Endpoint Protection\*.exe |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup Exec System Recovery\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecRPCService\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecAgentAccelerator\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecJobEngine\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLOMaintenanceSvc\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLOAdminSvcu\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecDeviceMediaService\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecAgentBrowser\ImagePath%% |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%SymSPort.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%fio.exe |
| %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Savrt%%vpdn_lu.exe |
| %programfiles%\Symantec Client Security\Symantec AntiVirus\vpdn_lu.exe |
| %programfiles%\Windows Defender\msascui.exe |
| %%-HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\mfevtp\ImagePath%%\* |
| %programfiles%\ActivIdentity\ActivClient\accrdsub.exe |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\szInstallDir%%\* |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe" |
| Action="Allow", Log="Do not log", Program="%programfiles%\Symantec AntiVirus\*.exe" |
| Action="Allow", Log="Do not log", Program="%commonprogramfiles%\Symantec Shared\*.exe" |
| Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\LiveUpdate\*.exe" |
| Block unusual memory permission changes |
| Exceptions for unusual memory permission changes |
| List of program exceptions for unusual memory permission changes |
| Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe" |
| Action="Allow", Log="Do not log", Program="%programfiles%\Symantec AntiVirus\*.exe" |
| Action="Allow", Log="Do not log", Program="%commonprogramfiles%\Symantec Shared\*.exe" |
| Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\LiveUpdate\*.exe" |
| Block turning off Data Execution Prevention (DEP) |
| Exceptions for turning off Data Execution Prevention (DEP) |
| List of program exceptions for turning off DEP |
| Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe" |
| Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec AntiVirus\*.exe" |
| Action="Deny", Log="Log as trivial", Program="%commonprogramfiles%\Symantec Shared\*.exe" |
| Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec\LiveUpdate\*.exe" |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\System32\winlogon.exe", Program="%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%smc.exe" |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%systemroot%\System32\lsass.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| av inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| sav tcp-fixed (2967) |
| sav tcp-dynamic |
| sep server default port (8443) |
| sep database default port (2638) |
| sep admin port (9090) |
| altiris tcp port |
| Inbound udp port list |
| List of Inbound udp ports |
| altiris udp port1 |
| altiris udp port2 |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| av outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| sav tcp-fixed (2967) |
| sav tcp-dynamic |
| sep server default port (8443) |
| sep database default port (2638) |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Internet Explorer [iexplore_ps] |
| Basic Options |
| Disable execution of specific programs |
| List of programs Internet Explorer should not execute |
| Program="%systemroot%\system32\cmd.exe" |
| Restrict Internet Explorer network access |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Internet Explorer\iexplore.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| iexplore inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound network rules |
| List of rules to control connections into this system |
| RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemotePort="ftp-data (20)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| iexplore outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| http (80) |
| https (443) |
| epmap (135) |
| ldap (389) |
| ftp (21) |
| 8081 |
| sep server default port (8443) |
| sep admin port (9090) |
| high (1024-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| domain (53) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="high (1024-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Internet Information Services [iis_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Resource Lists |
| Writable Resource Lists |
| Allow modifications to these files |
| List of files that can be modified |
| Value="%systemdrive%\inetpub\temp" |
| Value="%systemdrive%\inetpub\temp\*" |
| Network Controls |
| Inbound |
| Components |
| Enable access to mail-related resources |
| Mail ports used by iis |
| pop3 (110) |
| pop3s (995) |
| imap (143) |
| imaps (993) |
| smtp (25) |
| ssmtp (465) |
| msexch-routing (691) |
| Enable access to news-related resources |
| IIS news ports |
| nntp (119) |
| nntps (563) |
| Enable access to FTP-related resources |
| IIS news ports |
| ftp (21) |
| ftp-data (20) |
| Inbound hosts list |
| iis inbound address list |
| Local IPs (v4 and v6) |
| Inbound tcp port list |
| List of Inbound tcp ports |
| http (80) |
| https (443) |
| high (1024-65535) |
| ldap (389) |
| ldaps (636) |
| msft-gc (3268) |
| msft-gc-ssl (3269) |
| smtp (25) |
| Inbound udp port list |
| List of Inbound udp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| iis outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| ldap (389) |
| ldaps (636) |
| msft-gc |
| msft-gc-ssl |
| epmap (135) |
| domain (53) |
| msexch-routing (691) |
| smtp (25) |
| ssmtp (465) |
| high (1024-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| domain (53) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Microsoft Exchange Server [exchange_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| exchange inbound address list |
| Local IPs (v4 and v6) |
| Any |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| exchange outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| domain (53) |
| http (80) |
| https (443) |
| imap (143) |
| imaps (993) |
| irc (194) |
| ircs (994) |
| ldap (389) |
| ldaps (636) |
| nntp (119) |
| nntps (563) |
| pop3 (110) |
| pop3s (995) |
| epmap (135) |
| smtp (25) |
| ssmtp (465) |
| msft-gc |
| msft-gc-ssl |
| msexch-routing (691) |
| netbios-session (139) |
| high (1024-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| domain (53) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Microsoft Office [msoffice_ps] |
| Basic Options |
| Restrict registry access of Microsoft Office programs |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%programfiles%\Microsoft Office\Office*\*.exe", Program="%systemroot%\splwow64.exe" |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Microsoft Office\Office*\*.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| msoffice inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| msoffice outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Microsoft SQL Server [mssqlsrv_ps] |
| Advanced Options |
| Microsoft SQL Server Application Data Protection |
| Microsoft SQL Server Application File Data |
| Block all access to the following Microsoft SQL Server files |
| Application data that should not be accessed |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Data\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLDataRoot%%\Data\* |
| \Device\HarddiskVolume?*\MSSQL\DATA\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Backup\* |
| \Device\HarddiskVolume?*\MSSQL\Backup\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\repldata\* |
| \Device\HarddiskVolume?*\MSSQL\repldata\* |
| Block modifications to the following Microsoft SQL Server files |
| Application data that is read-only |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Logs\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\LOG\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%LogFiles\* |
| \Device\HarddiskVolume?*\MSSQL\Logs\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Template Data\* |
| \Device\HarddiskVolume?*\MSSQL\Template Data\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\JOBS\* |
| \Device\HarddiskVolume?*\MSSQL\JOBS\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Binn\* |
| \Device\HarddiskVolume?*\MSSQL\Binn\* |
| %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Install\* |
| \Device\HarddiskVolume?*\MSSQL\Install\* |
| %programfiles%\Microsoft SQL Server\* |
| Microsoft SQL Server Application Registry Key Data |
| Block modifications to the following Microsoft SQL Server Registry keys |
| Application data that is read-only |
| \Registry\Machine\SOFTWARE\Microsoft\Microsoft SQL Server |
| \Registry\Machine\SOFTWARE\Microsoft\Microsoft SQL Server\* |
| \Registry\Machine\SOFTWARE\Microsoft\MSSQLServer |
| \Registry\Machine\SOFTWARE\Microsoft\MSSQLServer\* |
| \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL SERVER\%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\InstalledInstances%% |
| \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL SERVER\%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\InstalledInstances%%\* |
| \REGISTRY\MACHINE\Software\Microsoft\Microsoft SQL Server\MSSQL.* |
| \REGISTRY\MACHINE\Software\Microsoft\Microsoft SQL Server\*\MSSQLServer |
| \REGISTRY\MACHINE\Software\Microsoft\Microsoft SQL Server\*\MSSQLServer\* |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="*\sqlservr.exe" |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| mssqlsrv inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| ms-sql-s (1433) |
| ms-sql-s1 (dynamic) |
| ms-sql-s2 (dynamic) |
| ms-sql-s3 (dynamic) |
| Inbound udp port list |
| List of Inbound udp ports |
| ms-sql-m (1434) |
| ms-sql-m1 (dynamic) |
| Inbound network rules |
| List of rules to control connections into this system |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m1 (dynamic)", Protocol="UDP", Action="Disabled", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| mssqlsrv outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| epmap (135) |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m1 (dynamic)", Protocol="UDP", Action="Disabled", Log="Do not log" |
| RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Deny", Log="Log as trivial" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Outlook & Outlook Express [outlook_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Outlook Express\msimn.exe" |
| TargetProgram="%systemroot%\system32\ctfmon.exe", Program="%programfiles%\Outlook Express\msimn.exe" |
| TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Microsoft Office\Office12\OUTLOOK.EXE" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| outlook inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| outlook outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Oracle RDBMS [oracledb_ps] |
| Advanced Options |
| Oracle RDBMS Application Data Protection |
| Oracle RDBMS Application File Data |
| Block all access to the following Oracle RDBMS Program files |
| Application data that should not be accessed |
| \Device\HarddiskVolume?*\app\**\oradata\* |
| \Device\HarddiskVolume?*\app\**\flash_recovery_area\* |
| Block modifications to the following Oracle RDBMS Program files |
| Application data that is read-only |
| \Device\HarddiskVolume?*\app\** |
| \Device\HarddiskVolume?\Oracle*\** |
| Oracle RDBMS Application Registry Key Data |
| Block modifications to the following Oracle RDBMS Program Registry keys |
| Application data that is read-only |
| \Registry\Machine\SOFTWARE\ORACLE\** |
| \Registry\Machine\SOFTWARE\ORACLE |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="*\PRODUCT\1*\*\BIN\ORACLE.EXE", Program="*\BIN\EMAGENT.EXE" |
| TargetProgram="*\PRODUCT\1*\*\BIN\ORACLE.EXE", Program="*\BIN\TNSLSNR.EXE" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| oracledb inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| 0.0.0.1 |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="1158", RemoteIP="sandbox specific inbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="allow", Log="Do not log", Program="*\jdk\bin\java.exe" |
| LocalPort="1521-1527", RemoteIP="sandbox specific inbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\tnslsnr.exe" |
| LocalPort="2030", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\omtsreco.exe" |
| LocalPort="3938", RemoteIP="sandbox specific outbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\emagent.exe" |
| LocalPort="8080", RemoteIP="sandbox specific inbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\tnslsnr.exe" |
| LocalPort="10000", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\emagent.exe" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| oracledb outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| 0.0.0.1 |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="1521-1527", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="dynamic (49152-65535)", RemoteIP="sandbox specific outbound hosts component", RemotePort="1158", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\em*.exe" |
| LocalPort="dynamic (49152-65535)", RemoteIP="sandbox specific outbound hosts component", RemotePort="3938", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\em*.exe" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| OS Sandbox Options |
| SDCSS Agent [sdcss_agent_ps] |
| Advanced Options |
| SDCSS Agent Application Data Protection |
| SDCSS Agent Application File Data |
| Block all access to the following SDCSS Agent files |
| Application data that should not be accessed |
| %%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\LogInstallRoot%%\*.csv |
| Protection Categories |
| Application Data Protection |
| Obey All Other Application Data Restrictions |
| Resource List Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Process Access Controls |
| No-Access Process Access Controls |
| Block and log all access to these processes as trivial |
| List of processes that should not be accessed |
| TargetProgram="%systemroot%\System32\lsass.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| afagent inbound address list |
| SDCSS Server IP |
| Inbound tcp port list |
| List of Inbound tcp ports |
| sdcssagent |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemotePort="domain (53)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log as trivial |
| Outbound |
| Components |
| Outbound hosts list |
| afagent outbound address list |
| SDCSS Server IP |
| Outbound tcp port list |
| List of outbound tcp ports |
| sdcssserver |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemotePort="domain (53)", Protocol="Both TCP and UDP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log as trivial |
| Sandbox Execution Options |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| SDCSS Manager [sdcss_manager_ps] |
| Advanced Options |
| Protection Categories |
| Application Data Protection |
| Obey All Other Application Data Restrictions |
| Resource List Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Network Controls |
| Inbound |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="Any (0-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemotePort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| SDCSS Console [sdcss_console_ps] |
| Advanced Options |
| Protection Categories |
| Application Data Protection |
| Obey All Other Application Data Restrictions |
| Resource List Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| appfireui inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| appfireui outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| SDCSS Server IP |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Default Windows Programs and Services [def_winsvcs_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%systemroot%\EXPLORER.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\mmc.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\rundll32.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\searchfilterhost.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\slsvc.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\wermgr.exe" |
| Block unusual memory permission changes |
| Exceptions for unusual memory permission changes |
| List of program exceptions for unusual memory permission changes |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\WSCNTFY.EXE" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\VERCLSID.EXE" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\SCRNSAVE.SCR" |
| Action="Allow", Log="Do not log", Program="%systemroot%\EXPLORER.exe" |
| Block turning off Data Execution Prevention (DEP) |
| Exceptions for turning off Data Execution Prevention (DEP) |
| List of program exceptions for turning off DEP |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\SCRNSAVE.SCR" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\VERCLSID.EXE" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\WSCNTFY.EXE" |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\System32\csrss.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\System32\SearchIndexer.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\System32\RunDll32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\System32\slui.exe", Program="%systemroot%\system32\sppsvc.exe" |
| TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\sppsvc.exe" |
| TargetProgram="%systemroot%\System32\svchost.exe", Program="%systemroot%\system32\sppsvc.exe" |
| TargetProgram="%systemroot%\System32\runas.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k LocalService *", Program="%systemroot%\system32\SLsvc.exe" |
| TargetProgram="%programfiles%\Outlook Express\msimn.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\consent.exe" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k DcomLaunch *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k termsvcs *", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\system32\wininit.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\LuComServer*.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%Rtvscan.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%Smc.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\system32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="*", Program="%systemroot%\system32\audiodg.exe" |
| TargetProgram="%programfiles%\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%programfiles%\Windows Media Player\wmpnetwk.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\System32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%programfiles%\Adobe\Reader *\Reader\AcroRd32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%ProgramFiles%\Symantec\Symantec Endpoint Protection\*\Bin\ccSvcHst.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\system32\lsass.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%ProgramFiles%\Microsoft Office\Office*\OUTLOOK.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\Explorer.EXE", Program="%systemroot%\system32\SearchProtocolHost.exe" |
| TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\system32\vssvc.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Chrome\Application\chrome.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="\Device\HardDiskVolume?\Program Files\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\system32\*.scr", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\system32\mmc.exe", SignatureFlags="N00000020" |
| No-Access Process Access Controls |
| Block and log all access to these processes as trivial |
| List of processes that should not be accessed |
| TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISIPSService.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISManager.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\System32\taskmgr.exe", SignatureFlags="N00000020" |
| Resource Lists |
| Writable Resource Lists |
| Allow modifications to these Registry keys |
| List of Registry keys that can be modified |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\VSS\Diag\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
| Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows*\CurrentVersion\SPP*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
| Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\W32Time\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| def_winsvcs inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| def_winsvcs outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| ntp (123) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Programs the Default Windows Services may not run |
| List of programs the Default Windows Services may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Default Windows Services may run if using specific arguments |
| List of programs the Default Windows services may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Distributed File System [dfssvc_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| dfssvc inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| dfssvc outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| epmap (135) |
| ldap (389) |
| ldaps (636) |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Distributed File System Service may not run |
| List of programs the Distributed File System Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Distributed File System Service may run if using specific arguments |
| List of programs the Distributed File System Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Distributed Transaction Coordinator [msdtc_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| msdtc inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| msdtc outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Distributed Transaction Coordinator Service may not run |
| List of programs the Distributed Transaction Coordinator Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Distributed Transaction Coordinator Service may run if using specific arguments |
| List of programs the Distributed Transaction Coordinator Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| DNS Server [dns_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| dns inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| domain (53) |
| Inbound udp port list |
| List of Inbound udp ports |
| domain (53) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| dns outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| domain (53) |
| ldap (389) |
| high (1024-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| domain (53) |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the DNS Server may not run |
| List of programs the DNS Server may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the DNS Server may run if using specific arguments |
| List of programs the DNS Server may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| File Replication Service [ntfrs_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| ntfrs inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| ntfrs outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| ldap (389) |
| epmap (135) |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the File Replication Service may not run |
| List of programs the File Replication Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the File Replication Service may run if using specific arguments |
| List of programs the File Replication Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Interactive Launch Processes [int_launch_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\csrss.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\wininit.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\wbem\wmiprvse.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\logonui.exe", Module Path="\WINDOWS\SYSTEM32\DUSER.DLL" |
| Action="Allow", Log="Do not log", Program="%systemroot%\explorer.exe", Module Path="\WINDOWS\SYSTEM32\DUSER.DLL" |
| Block unusual memory permission changes |
| Exceptions for unusual memory permission changes |
| List of program exceptions for unusual memory permission changes |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsass.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\explorer.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\logon.scr" |
| Block turning off Data Execution Prevention (DEP) |
| Exceptions for turning off Data Execution Prevention (DEP) |
| List of program exceptions for turning off DEP |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\logon.scr" |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="*", Program="%systemroot%\System32\lsass.exe" |
| TargetProgram="*", Program="%systemroot%\System32\winlogon.exe" |
| TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\System32\csrss.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| system inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| system outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Kernel Driver Options [kernel_ps] |
| Advanced Options |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| kernel inbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| bootpc (68) |
| bootps (67) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="%iis_accept_tcp_list%", RemoteIP="%iis_netaccept_addr_list%", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="%termsrv_accept_tcp_list%", RemoteIP="%termsrv_netaccept_addr_list%", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="netbios-datagram (138)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="netbios-ns (137)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| kernel outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| netbios-session (139) |
| high (1024-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| bootpc (68) |
| bootps (67) |
| Outbound network rules |
| List of rules to control outbound network connections |
| LocalPort="netbios-datagram (138)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="netbios-ns (137)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| License Logging Service [llssrv_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| llssrv inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| llssrv outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| ldap (389) |
| ldaps (636) |
| epmap (135) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the License Logging Service may not run |
| List of programs the License Logging Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the License Logging Service may run if using specific arguments |
| List of programs the License Logging Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Local Security Authority Subsystem Service [lsass_ps] |
| Advanced Options |
| Local Security Authority Subsystem Application Data Protection |
| Local Security Authority Subsystem Application Process Data |
| Block all access to the following Local Security Authority Subsystem processes |
| Application data that should not be accessed |
| Program="%systemroot%\System32\lsass.exe" |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| llssrv inbound address list |
| Local IPs (v4 and v6) |
| Local Subnet addresses (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| lsass outbound address list |
| Local IPs (v4 and v6) |
| Local Subnet addresses (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Programs the Local Security Authority Subsystem Service may not run |
| List of programs the Local Security Authority Subsystem Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Local Security Authority Subsystem Service may run if using specific arguments |
| List of programs the Local Security Authority Subsystem Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Print Spooler [spoolsv_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\System32\spoolsv.exe" |
| TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\System32\spoolsv.exe" |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%programfiles%\Microsoft Office\Office*\*.exe", Program="%systemroot%\System32\spoolsv.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| spoolsv inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| spoolsv outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| epmap (135) |
| ldap (389) |
| ldaps (636) |
| high (1024-65535) |
| domain (53) |
| printer (515) |
| Outbound udp port list |
| List of outbound udp ports |
| snmp (161) |
| slp (427) |
| domain (53) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Print Spooler may not run |
| List of programs the Print Spooler may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Print Spooler may run if using specific arguments |
| List of programs the Print Spooler may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Remote Procedure Call (RPC) [rpcss_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\System32\dllhost.exe", Program="%systemroot%\System32\svchost.exe" |
| TargetProgram="%systemroot%\System32\svchost.exe", TargetArguments="&ci; * -k rpcss *", Program="%systemroot%\System32\svchost.exe" |
| TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%SescLU.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *" |
| TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%SavUI.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *" |
| TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *" |
| TargetProgram="%systemroot%\winsxs\*\tiworker.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *" |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%programfiles%\*\Microsoft Shared\Office*\Office Setup Controller\setup.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *" |
| TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| rpcss inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| epmap (135) |
| http-rpc-epmap (593) |
| Inbound udp port list |
| List of Inbound udp ports |
| epmap (135) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| rpcss outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| epmap (135) |
| http-rpc-epmap (593) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the RPC Service may not run |
| List of programs the RPC Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the RPC Service may run if using specific arguments |
| List of programs the RPC Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Remote Registry Service [regsvc_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| regsvc inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| regsvc outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Remote Registry Service may not run |
| List of programs the Remote Registry Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Remote Registry Service may run if using specific arguments |
| List of programs the Remote Registry Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Service Control Manager [svc_launch_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\system32\userinit.exe", Program="%systemroot%\System32\services.exe" |
| TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\System32\services.exe" |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%systemroot%\System32\lsass.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| scm inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="ntp (123)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| scm outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Programs the Service Control Manager may not run |
| List of programs the Service Control Manager may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Service Control Manager may run if using specific arguments |
| List of programs the Service Control Manager may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Secondary Logon [runas_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| runas inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| runas outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Secondary Logon Service may not run |
| List of programs the Secondary Logon Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Secondary Logon Service may run if using specific arguments |
| List of programs the Secondary Logon Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Simple TCP/IP Services [tcpsvc_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| tcpsvcs inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| bootps (67) |
| bootpc (68) |
| high (1024-65535) |
| printer (515) |
| Inbound udp port list |
| List of Inbound udp ports |
| bootps (67) |
| bootpc (68) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| tcpsvcs outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| ldap (389) |
| ldaps (636) |
| domain (53) |
| Outbound udp port list |
| List of outbound udp ports |
| bootps (67) |
| bootpc (68) |
| domain (53) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Simple TCP/IP Services may not run |
| List of programs the Simple TCP/IP Services may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Simple TCP/IP Services may run if using specific arguments |
| List of programs the Simple TCP/IP Services may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| SNMP Service [snmp_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| snmp inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| snmp (161) |
| snmptrap (162) |
| Inbound udp port list |
| List of Inbound udp ports |
| snmp (161) |
| snmptrap (162) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| snmp outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound udp port list |
| List of outbound udp ports |
| snmptrap |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the SNMP Service may not run |
| List of programs the SNMP Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the SNMP Service may run if using specific arguments |
| List of programs the SNMP Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Startup Processes [system_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\csrss.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe" |
| Block unusual memory permission changes |
| Exceptions for unusual memory permission changes |
| List of program exceptions for unusual memory permission changes |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsass.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe" |
| Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe" |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="*", Program="%systemroot%\System32\lsass.exe" |
| TargetProgram="*", Program="%systemroot%\System32\winlogon.exe" |
| TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\System32\csrss.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| system inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| system outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Programs the Startup Services may not run |
| List of programs the Startup Services may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Startup Services may run if using specific arguments |
| List of programs the Startup Services may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Task Scheduler Service [mstask_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| mstask inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| mstask outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Task Scheduler may not run |
| List of programs the Task Scheduler may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Task Scheduler may run if using specific arguments |
| List of programs the Task Scheduler may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Telephony [tapisrv_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k tapisrv *" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| tapisrv inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| tapisrv outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Telephony Service may not run |
| List of programs the Telephony Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Telephony Service may run if using specific arguments |
| List of programs the Telephony Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Terminal Services [termsrv_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsm.exe" |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\System32\svchost.exe" |
| TargetProgram="%systemroot%\System32\csrss.exe", Program="%systemroot%\System32\svchost.exe" |
| TargetProgram="%systemroot%\System32\logon.scr", Program="%systemroot%\System32\svchost.exe" |
| TargetProgram="%systemroot%\System32\rdpclip.exe", Program="%systemroot%\System32\svchost.exe" |
| TargetProgram="*", Program="%systemroot%\system32\lsm.exe" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| termsrv inbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| ms-wbt-server (3389) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| termsrv outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| epmap (135) |
| ldap (389) |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the Terminal Services may not run |
| List of programs the Terminal Services may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Terminal Services may run if using specific arguments |
| List of programs the Terminal Services may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Windows Internet Name Service (WINS) [wins_ps] |
| Basic Options |
| Enable WINS management |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| wins inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| netbios-ns (137) |
| high (1024-65535) |
| nameserver (42) |
| Inbound udp port list |
| List of Inbound udp ports |
| nameserver (42) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| wins outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| nameserver |
| Outbound udp port list |
| List of outbound udp ports |
| nameserver |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the WINS Service may not run |
| List of programs the WINS Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the WINS Service may run if using specific arguments |
| List of programs the WINS Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Windows Management Instrumentation [wmisvc_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\WBEM\WMIPRVSE.EXE", Module Path="\WINDOWS\SYSTEM32\DPCDLL.DLL" |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\WBEM\WMIPRVSE.EXE", Module Path="\WINDOWS\SYSTEM32\LICDLL.DLL" |
| Block unusual memory permission changes |
| Block turning off Data Execution Prevention (DEP) |
| Process Access Controls |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\system32\wbem\wmiprvse.exe", SignatureFlags="N00000020" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| winmgmt inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| high (1024-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Deny |
| Default inbound rule log setting |
| Log |
| Outbound |
| Components |
| Outbound hosts list |
| winmgmt outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| ldap (389) |
| epmap (135) |
| msft-gc |
| msft-gc-ssl |
| msexch-routing (691) |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Deny |
| Default outbound rule log setting |
| Log |
| Sandbox Execution Options |
| Programs the WMI Service may not run |
| List of programs the WMI Service may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the WMI Service may run if using specific arguments |
| List of programs the WMI Service may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Windows Netsvcs Services [netsvcs_ps] |
| Advanced Options |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Block unusual memory allocations |
| Exceptions for unusual memory allocations |
| List of program exceptions for unusual memory allocations |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
| Block unusual memory permission changes |
| Exceptions for unusual memory permission changes |
| List of program exceptions for unusual memory permission changes |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
| Block turning off Data Execution Prevention (DEP) |
| Exceptions for turning off Data Execution Prevention (DEP) |
| List of program exceptions for turning off DEP |
| Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
| Process Access Controls |
| Full Access Process Access Controls |
| Allow full access to these processes |
| List of processes to give full access to |
| TargetProgram="*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\System32\slui.exe", Program="%systemroot%\system32\sppsvc.exe" |
| TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\sppsvc.exe" |
| TargetProgram="%systemroot%\System32\svchost.exe", Program="%systemroot%\system32\sppsvc.exe" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k LocalService *", Program="%systemroot%\system32\SLsvc.exe" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\consent.exe" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
| TargetProgram="*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
| TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k termsvcs *", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\system32\wininit.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\system32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\system32\msiexec.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="*", Program="%systemroot%\system32\audiodg.exe" |
| TargetProgram="%programfiles%\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%programfiles%\Windows Media Player\wmpnetwk.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\System32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%programfiles%\Adobe\Reader *\Reader\AcroRd32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%ProgramFiles%\Symantec\Symantec Endpoint Protection\*\Bin\ccSvcHst.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\system32\lsass.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%ProgramFiles%\Microsoft Office\Office*\OUTLOOK.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\Explorer.EXE", Program="%systemroot%\system32\SearchProtocolHost.exe" |
| TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="%systemroot%\system32\vssvc.exe", Program="%systemroot%\system32\svchost.exe" |
| TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Chrome\Application\chrome.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="\Device\HardDiskVolume?\Program Files\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%systemroot%\system32\*.scr", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| TargetProgram="%systemroot%\softwaredistribution\download\*.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| No-Access Process Access Controls |
| Block and log all access to these processes as trivial |
| List of processes that should not be accessed |
| TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISIPSService.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISManager.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
| Resource Lists |
| Writable Resource Lists |
| Allow modifications to these files |
| List of files that can be modified |
| Value="%systemroot%\softwaredistribution\download\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
| Allow modifications to these Registry keys |
| List of Registry keys that can be modified |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\VSS\Diag\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
| Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows*\CurrentVersion\SPP*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
| Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
| Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\W32Time\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| netsvcs inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| Netsvcs outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| ntp (123) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| SysCall Options |
| Allow creation of hardlinks |
| Sandbox Execution Options |
| Programs the Windows Netsvcs Services may not run |
| List of programs the Windows Netsvcs Services may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Windows Netsvcs Services may run if using specific arguments |
| List of programs the Windows Netsvcs Services may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Windows Update [windows_update_ps] |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| windows updates inbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| windows update outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| SysCall Options |
| Allow mounting of filesystems |
| Allow creation of hardlinks |
| Sandbox Execution Options |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Trusted Updater Sandbox Options |
| SDCSS Updater Sandbox [sdcss_updater_ps] |
| Protection Categories |
| Software Installation Restrictions |
| Block modifications to Startup folders |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| full_int inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| full_int outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| SysCall Options |
| Allow mounting of filesystems |
| Allow creation of hardlinks |
| Sandbox Execution Options |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Trusted Updater Sandbox [trusted_updater_ps] |
| Protection Categories |
| Obey Global Resource List Restrictions |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| fully open, self protection enabled inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| fully open, self protection enabled outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Generic Sandbox Options |
| Fully Open Sandbox [fullopen_ps] |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| full_int inbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| full_int outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| SysCall Options |
| Allow mounting of filesystems |
| Allow creation of hardlinks |
| Sandbox Execution Options |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Fully Open Sandbox with Self Protection Enabled [fullopen_spe_ps] |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| fully open, self protection enabled inbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| fully open, self protection enabled outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Basic Sandbox [basic_ps] |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Process Access Controls |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%systemroot%\System32\lsass.exe", Program="%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\InstallPath%%vmtoolsd.exe", SignatureFlags="N00010000" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| custom_int inbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| Any (0-65535) |
| Inbound udp port list |
| List of Inbound udp ports |
| Any (0-65535) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| custom_int outbound address list |
| Any |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| Any (0-65535) |
| Outbound udp port list |
| List of outbound udp ports |
| Any (0-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Programs the Basic Services may not run |
| List of programs the Basic Services may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Basic Services may run if using specific arguments |
| List of programs the Basic Services may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |
| Hardened Sandbox [hardened_ps] |
| Protection Categories |
| Obey All Other Application Data Restrictions |
| Obey Global Resource List Restrictions |
| Software Installation Restrictions |
| Block modifications to executable files |
| Block modifications to Startup folders |
| Block registration of COM and ActiveX controls |
| Block product registration |
| Block the Windows Installer from running |
| Block modifications to windows services |
| Basic Operating System Restrictions |
| Protect auto start locations |
| Protect operating system resources |
| Protect the raw local disk device |
| Memory Controls |
| Enable Buffer Overflow Detection |
| Process Access Controls |
| Limited Access Process Access Controls |
| Block and log modifications to these processes as trivial |
| List of processes that should not be modified |
| TargetProgram="%systemroot%\System32\lsass.exe", Program="%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\InstallPath%%vmtoolsd.exe", SignatureFlags="N00010000" |
| Resource Lists |
| Writable Resource Lists |
| Allow modifications to these files |
| List of files that can be modified |
| Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Allow modifications to these Registry keys |
| List of Registry keys that can be modified |
| Value="\Registry\User\*\Software\Microsoft\SQL Server Management Studio\*\CLSID\*\InprocServer32", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="\Registry\User\*\Software\Microsoft\SQL Server Management Studio\*\CLSID\*\InprocServer32", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed" |
| Network Controls |
| Inbound |
| Components |
| Inbound hosts list |
| std_int inbound address list |
| Local IPs (v4 and v6) |
| Global inbound hosts component |
| Inbound tcp port list |
| List of Inbound tcp ports |
| epmap (135) |
| Inbound udp port list |
| List of Inbound udp ports |
| epmap (135) |
| Inbound network rules |
| List of rules to control connections into this system |
| LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
| LocalPort="Any (0-65535)", RemoteIP="Any", Protocol="TCP", Action="Deny", Log="Log", SignatureFlags="Interactive Process" |
| LocalPort="Any (0-65535)", RemoteIP="Any", Protocol="UDP", Action="Deny", Log="Log", SignatureFlags="Interactive Process" |
| LocalPort="Any (0-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
| LocalPort="Any (0-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default inbound rule |
| Default inbound rule action |
| Allow |
| Default inbound rule log setting |
| Log when denied |
| Outbound |
| Components |
| Outbound hosts list |
| hardened outbound address list |
| Local IPs (v4 and v6) |
| Global outbound hosts component |
| Outbound tcp port list |
| List of outbound tcp ports |
| ldap (389) |
| http (80) |
| https (443) |
| epmap (135) |
| Outbound udp port list |
| List of outbound udp ports |
| high (1024-65535) |
| Outbound network rules |
| List of rules to control outbound network connections |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="Local IPs (v4 and v6)", RemotePort="Any (0-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log", SignatureFlags="Interactive Process" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log", SignatureFlags="Interactive Process" |
| LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
| RemoteIP="Any", RemotePort="Any (0-65535)", Protocol="TCP", Action="Deny", Log="Log", SignatureFlags="Interactive Process" |
| RemoteIP="Any", RemotePort="Any (0-65535)", Protocol="UDP", Action="Deny", Log="Log", SignatureFlags="Interactive Process" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
| RemoteIP="sandbox specific outbound hosts component", RemotePort="Any (0-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
| Default outbound rule |
| Default outbound rule action |
| Allow |
| Default outbound rule log setting |
| Log when denied |
| Sandbox Execution Options |
| Programs the Hardened Services may not run |
| List of programs the Hardened Services may not run |
| Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%" |
| Programs the Hardened Services may run if using specific arguments |
| List of programs the Hardened Services may run if using specific arguments |
| Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%" |
| Block execution of files with non-executable extensions |
| Module Execution |
| Modules to route to the Fully Open sandbox |
| List of modules to route to the Fully Open sandbox |
| %-global_fully_open_sandbox_module_list% |