SYM_WIN_WHITELISTING_SBP V6.0.0 R108 [SUMMARY]
10-Jul-2015 03:42:35 PDT
Exported By: symadmin    from Server: Localhost Server



 Global Policy Options
 Resource Lists
 Read-only Resource Lists
 Block modifications to these files
 List of files that should not be modified
 Value="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\MOF Self-Install Directory%%"
 Value="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\MOF Self-Install Directory%%\*"
 Process Logging Options
 Log process assignment messages
 Log process assignment command line arguments
 Global Policy Lists
 List of executable file extensions [global_exe_extensions_list]
 Executable File Extensions list
 *.exe
 *.bat
 *.com
 *.dll
 *.cpl
 *.pif
 *.vbe
 *.vbs
 *.shs
 *.shb
 *.scr
 *.cmd
 *.js
 *.jse
 *.wsh
 *.wsf
 *.reg
 *.hta
 *.ocx
 *.msc
 *.msi
 *.sys
 *.ps1
 *.msp
 *.msu
 *.plg
 *.ime
 *.Manifest
 *.drv
 *.tsp
 List of processes that services should not start [global_svc_child_norun_list]
 Processes services should not start list
 Program="%systemroot%\system32\rundll32.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\cmd.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\cscript.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\java.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\javaw.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\wscript.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\net.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\net1.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\wbem\mofcomp.exe"
 Program="%systemroot%\system32\ftp.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\tftp.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\rcp.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\telnet.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\rexec.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\rsh.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\mstsc.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\shutdown.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\taskkill.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\netsh.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\arp.exe", SignatureFlags="Q01"
 Program="%systemroot%\system32\nbtstat.exe", SignatureFlags="Q01"
 Program="*\osql.exe", SignatureFlags="Q01"
 Program="*\sqlcmd.exe", SignatureFlags="Q01"
 Program="*\command.com", SignatureFlags="Q01"
 Program="*\powershell.exe", SignatureFlags="Q01"
 Allow services to run these programs if using specific arguments. [global_svc_child_norun_except_list]
 Exception List
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll* *", SignatureFlags="Q01"
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * newdev.dll* *", SignatureFlags="Q01"
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d sdengin2.dll,ExecuteScheduledBackup *", SignatureFlags="Q01"
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d srrstr.dll,ExecuteScheduledSPPCreation *", SignatureFlags="Q01"
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * aepdu.dll,AePduRunUpdate *", SignatureFlags="Q01"
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d acproxy.dll,PerformAutochkOperations *", SignatureFlags="Q01"
 Program="%systemroot%\syswow64\rundll32.exe", Arguments="&ci; %systemroot%\syswow64\rundll32.exe %systemroot%\syswow64\schedsvc.dll* *", SignatureFlags="Q01"
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe %systemroot%\system32\schedsvc.dll* *", SignatureFlags="Q01"
 Program="%systemroot%\syswow64\rundll32.exe", Arguments="&ci; %systemroot%\syswow64\rundll32.exe "%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Content\VirusDefs%%\*\cceraser.dll"* *", SignatureFlags="Q01"
 Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe "%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Content\VirusDefs%%\*\cceraser.dll"* *", SignatureFlags="Q01"
 List of modules to route to the Fully Open sandbox [global_fully_open_sandbox_module_list]
 Modules to route to the Fully Open sandbox
 %systemroot%\SYSTEM32\GPSVC.DLL
 Domain Controller Settings
 Data Protection
 File Data
 Block all access to the following files
 Application data that should not be accessed
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Database file%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory%%\*edb*
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database backup path%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database log files path%%\*.log
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Sysvol%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\Database Directory%%\*
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Working Directory%%\jet\*
 \Device\HarddiskVolume?\WINDOWS\SYSVOL\*
 Registry Key Data
 Block modifications to the following Registry keys
 Application data that is read-only
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\*
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntds\*
 Application Sandbox Options
 Host Security Programs [hsecurity_ps]
 Basic Options
 Host Security programs installed
 List of Host Security programs
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\Navw32.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\Navwnt.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\SAVScan.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\ccIMScn.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\navapsvc.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\NAVAPW32.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\OPScan.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\IWP\NPFMntor.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\LuComServer*.EXE
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\NDETECT.EXE
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccApp.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%LiveReg\IRALRSHL.EXE
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%Script Blocking\SBServ.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%SNDSrvc.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%Rtvscan.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%SavRoam.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcagent.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcregwiz.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcupdate.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcupdmgr.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\McShield.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\McVSEscn.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsftsn.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsmap.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsrte.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%csscan.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%Mcshield.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%mcupdate.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%scan32.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.XX\szInstallDir%%Scan.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework\Installed Path%%\FrameworkService.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Application Path%%Tmntsrv.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Application Path%%TSC.EXE
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%TSC.EXE
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%PccNTMon.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%TmListen.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccEvtMgr.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccSetMgr.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccProxy.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccSvcHst.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Symantec Shared Directory%%\CfgWiz.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Savrt%%\DoScan.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SSCADMIN%%Deployment\Server Rollout\SETUP.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SSCADMIN%%Deployment\ClientRemote Installation\clientremote.exe
 %programfiles%\NAV\rtvscan.exe
 %programfiles%\CA\etrust EZ Armor\etrust EZ Antivirus\autodown.exe
 %programfiles%\CA\etrust EZ Armor\etrust EZ Antivirus\vet32.exe
 %programfiles%\NavNT\rtvscan.exe
 %programfiles%\McAfee.com\shared\mghtml.exe
 %programfiles%\Symantec\LiveUpdate\*.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall\smc_install_path%%smc.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%\SymSPort.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%\fio.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveState Recovery\3.0\InstallDir%%Agent\VProSvc.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveState Recovery\6.0\InstallDir%%Agent\VProSvc.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM\TargetDir%%*.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%*.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAV Install Directory%%smc.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\InstallDir%%\AeXNSAgent.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%Reporting Agents\Win32\ReporterSvc.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%SPBBC\SPBBCSvc.exe
 %programfiles%\Symantec\Symantec Endpoint Protection\*.exe
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup Exec System Recovery\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecRPCService\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecAgentAccelerator\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecJobEngine\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLOMaintenanceSvc\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLOAdminSvcu\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecDeviceMediaService\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecAgentBrowser\ImagePath%%
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%SymSPort.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%fio.exe
 %%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Savrt%%vpdn_lu.exe
 %programfiles%\Symantec Client Security\Symantec AntiVirus\vpdn_lu.exe
 %programfiles%\Windows Defender\msascui.exe
 %%-HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\mfevtp\ImagePath%%\*
 %programfiles%\ActivIdentity\ActivClient\accrdsub.exe
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\szInstallDir%%\*
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe"
 Action="Allow", Log="Do not log", Program="%programfiles%\Symantec AntiVirus\*.exe"
 Action="Allow", Log="Do not log", Program="%commonprogramfiles%\Symantec Shared\*.exe"
 Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\LiveUpdate\*.exe"
 Block unusual memory permission changes
 Exceptions for unusual memory permission changes
 List of program exceptions for unusual memory permission changes
 Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe"
 Action="Allow", Log="Do not log", Program="%programfiles%\Symantec AntiVirus\*.exe"
 Action="Allow", Log="Do not log", Program="%commonprogramfiles%\Symantec Shared\*.exe"
 Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\LiveUpdate\*.exe"
 Block turning off Data Execution Prevention (DEP)
 Exceptions for turning off Data Execution Prevention (DEP)
 List of program exceptions for turning off DEP
 Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe"
 Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec AntiVirus\*.exe"
 Action="Deny", Log="Log as trivial", Program="%commonprogramfiles%\Symantec Shared\*.exe"
 Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec\LiveUpdate\*.exe"
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\System32\winlogon.exe", Program="%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%smc.exe"
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%systemroot%\System32\lsass.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 av inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 sav tcp-fixed (2967)
 sav tcp-dynamic
 sep server default port (8443)
 sep database default port (2638)
 sep admin port (9090)
 altiris tcp port
 Inbound udp port list
 List of Inbound udp ports
 altiris udp port1
 altiris udp port2
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 av outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 sav tcp-fixed (2967)
 sav tcp-dynamic
 sep server default port (8443)
 sep database default port (2638)
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Internet Explorer [iexplore_ps]
 Basic Options
 Disable execution of specific programs
 List of programs Internet Explorer should not execute
 Program="%systemroot%\system32\cmd.exe"
 Restrict Internet Explorer network access
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Internet Explorer\iexplore.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 iexplore inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound network rules
 List of rules to control connections into this system
 RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemotePort="ftp-data (20)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 iexplore outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 http (80)
 https (443)
 epmap (135)
 ldap (389)
 ftp (21)
 8081
 sep server default port (8443)
 sep admin port (9090)
 high (1024-65535)
 Outbound udp port list
 List of outbound udp ports
 domain (53)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="high (1024-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Internet Information Services [iis_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Resource Lists
 Writable Resource Lists
 Allow modifications to these files
 List of files that can be modified
 Value="%systemdrive%\inetpub\temp"
 Value="%systemdrive%\inetpub\temp\*"
 Network Controls
 Inbound
 Components
 Enable access to mail-related resources
 Mail ports used by iis
 pop3 (110)
 pop3s (995)
 imap (143)
 imaps (993)
 smtp (25)
 ssmtp (465)
 msexch-routing (691)
 Enable access to news-related resources
 IIS news ports
 nntp (119)
 nntps (563)
 Enable access to FTP-related resources
 IIS news ports
 ftp (21)
 ftp-data (20)
 Inbound hosts list
 iis inbound address list
 Local IPs (v4 and v6)
 Inbound tcp port list
 List of Inbound tcp ports
 http (80)
 https (443)
 high (1024-65535)
 ldap (389)
 ldaps (636)
 msft-gc (3268)
 msft-gc-ssl (3269)
 smtp (25)
 Inbound udp port list
 List of Inbound udp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 iis outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 ldap (389)
 ldaps (636)
 msft-gc
 msft-gc-ssl
 epmap (135)
 domain (53)
 msexch-routing (691)
 smtp (25)
 ssmtp (465)
 high (1024-65535)
 Outbound udp port list
 List of outbound udp ports
 domain (53)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Microsoft Exchange Server [exchange_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 exchange inbound address list
 Local IPs (v4 and v6)
 Any
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 exchange outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 domain (53)
 http (80)
 https (443)
 imap (143)
 imaps (993)
 irc (194)
 ircs (994)
 ldap (389)
 ldaps (636)
 nntp (119)
 nntps (563)
 pop3 (110)
 pop3s (995)
 epmap (135)
 smtp (25)
 ssmtp (465)
 msft-gc
 msft-gc-ssl
 msexch-routing (691)
 netbios-session (139)
 high (1024-65535)
 Outbound udp port list
 List of outbound udp ports
 domain (53)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Microsoft Office [msoffice_ps]
 Basic Options
 Restrict registry access of Microsoft Office programs
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%programfiles%\Microsoft Office\Office*\*.exe", Program="%systemroot%\splwow64.exe"
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Microsoft Office\Office*\*.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 msoffice inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 msoffice outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Microsoft SQL Server [mssqlsrv_ps]
 Advanced Options
 Microsoft SQL Server Application Data Protection
 Microsoft SQL Server Application File Data
 Block all access to the following Microsoft SQL Server files
 Application data that should not be accessed
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Data\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLDataRoot%%\Data\*
 \Device\HarddiskVolume?*\MSSQL\DATA\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Backup\*
 \Device\HarddiskVolume?*\MSSQL\Backup\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\repldata\*
 \Device\HarddiskVolume?*\MSSQL\repldata\*
 Block modifications to the following Microsoft SQL Server files
 Application data that is read-only
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Logs\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\LOG\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%LogFiles\*
 \Device\HarddiskVolume?*\MSSQL\Logs\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Template Data\*
 \Device\HarddiskVolume?*\MSSQL\Template Data\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\JOBS\*
 \Device\HarddiskVolume?*\MSSQL\JOBS\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Binn\*
 \Device\HarddiskVolume?*\MSSQL\Binn\*
 %%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Setup\SQLPath%%\Install\*
 \Device\HarddiskVolume?*\MSSQL\Install\*
 %programfiles%\Microsoft SQL Server\*
 Microsoft SQL Server Application Registry Key Data
 Block modifications to the following Microsoft SQL Server Registry keys
 Application data that is read-only
 \Registry\Machine\SOFTWARE\Microsoft\Microsoft SQL Server
 \Registry\Machine\SOFTWARE\Microsoft\Microsoft SQL Server\*
 \Registry\Machine\SOFTWARE\Microsoft\MSSQLServer
 \Registry\Machine\SOFTWARE\Microsoft\MSSQLServer\*
 \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL SERVER\%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\InstalledInstances%%
 \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL SERVER\%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\InstalledInstances%%\*
 \REGISTRY\MACHINE\Software\Microsoft\Microsoft SQL Server\MSSQL.*
 \REGISTRY\MACHINE\Software\Microsoft\Microsoft SQL Server\*\MSSQLServer
 \REGISTRY\MACHINE\Software\Microsoft\Microsoft SQL Server\*\MSSQLServer\*
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="*\sqlservr.exe"
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 mssqlsrv inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 ms-sql-s (1433)
 ms-sql-s1 (dynamic)
 ms-sql-s2 (dynamic)
 ms-sql-s3 (dynamic)
 Inbound udp port list
 List of Inbound udp ports
 ms-sql-m (1434)
 ms-sql-m1 (dynamic)
 Inbound network rules
 List of rules to control connections into this system
 RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m1 (dynamic)", Protocol="UDP", Action="Disabled", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 mssqlsrv outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 epmap (135)
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m1 (dynamic)", Protocol="UDP", Action="Disabled", Log="Do not log"
 RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Deny", Log="Log as trivial"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Outlook & Outlook Express [outlook_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Outlook Express\msimn.exe"
 TargetProgram="%systemroot%\system32\ctfmon.exe", Program="%programfiles%\Outlook Express\msimn.exe"
 TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Microsoft Office\Office12\OUTLOOK.EXE"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 outlook inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 outlook outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Oracle RDBMS [oracledb_ps]
 Advanced Options
 Oracle RDBMS Application Data Protection
 Oracle RDBMS Application File Data
 Block all access to the following Oracle RDBMS Program files
 Application data that should not be accessed
 \Device\HarddiskVolume?*\app\**\oradata\*
 \Device\HarddiskVolume?*\app\**\flash_recovery_area\*
 Block modifications to the following Oracle RDBMS Program files
 Application data that is read-only
 \Device\HarddiskVolume?*\app\**
 \Device\HarddiskVolume?\Oracle*\**
 Oracle RDBMS Application Registry Key Data
 Block modifications to the following Oracle RDBMS Program Registry keys
 Application data that is read-only
 \Registry\Machine\SOFTWARE\ORACLE\**
 \Registry\Machine\SOFTWARE\ORACLE
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="*\PRODUCT\1*\*\BIN\ORACLE.EXE", Program="*\BIN\EMAGENT.EXE"
 TargetProgram="*\PRODUCT\1*\*\BIN\ORACLE.EXE", Program="*\BIN\TNSLSNR.EXE"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 oracledb inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 0.0.0.1
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="1158", RemoteIP="sandbox specific inbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="allow", Log="Do not log", Program="*\jdk\bin\java.exe"
 LocalPort="1521-1527", RemoteIP="sandbox specific inbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\tnslsnr.exe"
 LocalPort="2030", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\omtsreco.exe"
 LocalPort="3938", RemoteIP="sandbox specific outbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\emagent.exe"
 LocalPort="8080", RemoteIP="sandbox specific inbound hosts component", RemotePort="dynamic (49152-65535)", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\tnslsnr.exe"
 LocalPort="10000", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\emagent.exe"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 oracledb outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 0.0.0.1
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="1521-1527", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="dynamic (49152-65535)", RemoteIP="sandbox specific outbound hosts component", RemotePort="1158", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\em*.exe"
 LocalPort="dynamic (49152-65535)", RemoteIP="sandbox specific outbound hosts component", RemotePort="3938", Protocol="TCP", Action="Allow", Log="Do not log", Program="*\bin\em*.exe"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 OS Sandbox Options
 SDCSS Agent [sdcss_agent_ps]
 Advanced Options
 SDCSS Agent Application Data Protection
 SDCSS Agent Application File Data
 Block all access to the following SDCSS Agent files
 Application data that should not be accessed
 %%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\LogInstallRoot%%\*.csv
 Protection Categories
 Application Data Protection
 Obey All Other Application Data Restrictions
 Resource List Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Process Access Controls
 No-Access Process Access Controls
 Block and log all access to these processes as trivial
 List of processes that should not be accessed
 TargetProgram="%systemroot%\System32\lsass.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 afagent inbound address list
 SDCSS Server IP
 Inbound tcp port list
 List of Inbound tcp ports
 sdcssagent
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemotePort="domain (53)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log as trivial
 Outbound
 Components
 Outbound hosts list
 afagent outbound address list
 SDCSS Server IP
 Outbound tcp port list
 List of outbound tcp ports
 sdcssserver
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemotePort="domain (53)", Protocol="Both TCP and UDP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log as trivial
 Sandbox Execution Options
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 SDCSS Manager [sdcss_manager_ps]
 Advanced Options
 Protection Categories
 Application Data Protection
 Obey All Other Application Data Restrictions
 Resource List Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Network Controls
 Inbound
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="Any (0-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Outbound network rules
 List of rules to control outbound network connections
 RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemotePort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 SDCSS Console [sdcss_console_ps]
 Advanced Options
 Protection Categories
 Application Data Protection
 Obey All Other Application Data Restrictions
 Resource List Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Network Controls
 Inbound
 Components
 Inbound hosts list
 appfireui inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 appfireui outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 SDCSS Server IP
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Default Windows Programs and Services [def_winsvcs_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%systemroot%\EXPLORER.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\mmc.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\rundll32.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\searchfilterhost.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\slsvc.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\wermgr.exe"
 Block unusual memory permission changes
 Exceptions for unusual memory permission changes
 List of program exceptions for unusual memory permission changes
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\WSCNTFY.EXE"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\VERCLSID.EXE"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\SCRNSAVE.SCR"
 Action="Allow", Log="Do not log", Program="%systemroot%\EXPLORER.exe"
 Block turning off Data Execution Prevention (DEP)
 Exceptions for turning off Data Execution Prevention (DEP)
 List of program exceptions for turning off DEP
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\SCRNSAVE.SCR"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\VERCLSID.EXE"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\WSCNTFY.EXE"
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\System32\csrss.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\System32\SearchIndexer.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\System32\RunDll32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\System32\slui.exe", Program="%systemroot%\system32\sppsvc.exe"
 TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\sppsvc.exe"
 TargetProgram="%systemroot%\System32\svchost.exe", Program="%systemroot%\system32\sppsvc.exe"
 TargetProgram="%systemroot%\System32\runas.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k LocalService *", Program="%systemroot%\system32\SLsvc.exe"
 TargetProgram="%programfiles%\Outlook Express\msimn.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\consent.exe"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k DcomLaunch *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k termsvcs *", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\system32\wininit.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\LuComServer*.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%Rtvscan.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%Smc.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\system32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="*", Program="%systemroot%\system32\audiodg.exe"
 TargetProgram="%programfiles%\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%programfiles%\Windows Media Player\wmpnetwk.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\System32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%programfiles%\Adobe\Reader *\Reader\AcroRd32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%ProgramFiles%\Symantec\Symantec Endpoint Protection\*\Bin\ccSvcHst.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\system32\lsass.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%ProgramFiles%\Microsoft Office\Office*\OUTLOOK.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\Explorer.EXE", Program="%systemroot%\system32\SearchProtocolHost.exe"
 TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\system32\vssvc.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Chrome\Application\chrome.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="\Device\HardDiskVolume?\Program Files\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\system32\*.scr", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\system32\mmc.exe", SignatureFlags="N00000020"
 No-Access Process Access Controls
 Block and log all access to these processes as trivial
 List of processes that should not be accessed
 TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISIPSService.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISManager.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\System32\taskmgr.exe", SignatureFlags="N00000020"
 Resource Lists
 Writable Resource Lists
 Allow modifications to these Registry keys
 List of Registry keys that can be modified
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\VSS\Diag\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *"
 Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows*\CurrentVersion\SPP*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *"
 Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *"
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *"
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *"
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\W32Time\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 def_winsvcs inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 def_winsvcs outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 ntp (123)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Programs the Default Windows Services may not run
 List of programs the Default Windows Services may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Default Windows Services may run if using specific arguments
 List of programs the Default Windows services may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Distributed File System [dfssvc_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 dfssvc inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 dfssvc outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 epmap (135)
 ldap (389)
 ldaps (636)
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Distributed File System Service may not run
 List of programs the Distributed File System Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Distributed File System Service may run if using specific arguments
 List of programs the Distributed File System Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Distributed Transaction Coordinator [msdtc_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 msdtc inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 msdtc outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Distributed Transaction Coordinator Service may not run
 List of programs the Distributed Transaction Coordinator Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Distributed Transaction Coordinator Service may run if using specific arguments
 List of programs the Distributed Transaction Coordinator Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 DNS Server [dns_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 dns inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 domain (53)
 Inbound udp port list
 List of Inbound udp ports
 domain (53)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 dns outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 domain (53)
 ldap (389)
 high (1024-65535)
 Outbound udp port list
 List of outbound udp ports
 domain (53)
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the DNS Server may not run
 List of programs the DNS Server may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the DNS Server may run if using specific arguments
 List of programs the DNS Server may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 File Replication Service [ntfrs_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 ntfrs inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 ntfrs outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 ldap (389)
 epmap (135)
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the File Replication Service may not run
 List of programs the File Replication Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the File Replication Service may run if using specific arguments
 List of programs the File Replication Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Interactive Launch Processes [int_launch_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\csrss.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\wininit.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\wbem\wmiprvse.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\logonui.exe", Module Path="\WINDOWS\SYSTEM32\DUSER.DLL"
 Action="Allow", Log="Do not log", Program="%systemroot%\explorer.exe", Module Path="\WINDOWS\SYSTEM32\DUSER.DLL"
 Block unusual memory permission changes
 Exceptions for unusual memory permission changes
 List of program exceptions for unusual memory permission changes
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsass.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\explorer.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\logon.scr"
 Block turning off Data Execution Prevention (DEP)
 Exceptions for turning off Data Execution Prevention (DEP)
 List of program exceptions for turning off DEP
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\logon.scr"
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="*", Program="%systemroot%\System32\lsass.exe"
 TargetProgram="*", Program="%systemroot%\System32\winlogon.exe"
 TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\System32\csrss.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 system inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 system outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Kernel Driver Options [kernel_ps]
 Advanced Options
 Network Controls
 Inbound
 Components
 Inbound hosts list
 kernel inbound address list
 Any
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 bootpc (68)
 bootps (67)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="%iis_accept_tcp_list%", RemoteIP="%iis_netaccept_addr_list%", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="%termsrv_accept_tcp_list%", RemoteIP="%termsrv_netaccept_addr_list%", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="netbios-datagram (138)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="netbios-ns (137)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 kernel outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 netbios-session (139)
 high (1024-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 bootpc (68)
 bootps (67)
 Outbound network rules
 List of rules to control outbound network connections
 LocalPort="netbios-datagram (138)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="netbios-ns (137)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 License Logging Service [llssrv_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 llssrv inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 llssrv outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 ldap (389)
 ldaps (636)
 epmap (135)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the License Logging Service may not run
 List of programs the License Logging Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the License Logging Service may run if using specific arguments
 List of programs the License Logging Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Local Security Authority Subsystem Service [lsass_ps]
 Advanced Options
 Local Security Authority Subsystem Application Data Protection
 Local Security Authority Subsystem Application Process Data
 Block all access to the following Local Security Authority Subsystem processes
 Application data that should not be accessed
 Program="%systemroot%\System32\lsass.exe"
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Network Controls
 Inbound
 Components
 Inbound hosts list
 llssrv inbound address list
 Local IPs (v4 and v6)
 Local Subnet addresses (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 lsass outbound address list
 Local IPs (v4 and v6)
 Local Subnet addresses (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Programs the Local Security Authority Subsystem Service may not run
 List of programs the Local Security Authority Subsystem Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Local Security Authority Subsystem Service may run if using specific arguments
 List of programs the Local Security Authority Subsystem Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Print Spooler [spoolsv_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\System32\spoolsv.exe"
 TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\System32\spoolsv.exe"
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%programfiles%\Microsoft Office\Office*\*.exe", Program="%systemroot%\System32\spoolsv.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 spoolsv inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 spoolsv outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 epmap (135)
 ldap (389)
 ldaps (636)
 high (1024-65535)
 domain (53)
 printer (515)
 Outbound udp port list
 List of outbound udp ports
 snmp (161)
 slp (427)
 domain (53)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Print Spooler may not run
 List of programs the Print Spooler may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Print Spooler may run if using specific arguments
 List of programs the Print Spooler may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Remote Procedure Call (RPC) [rpcss_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe"
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\System32\dllhost.exe", Program="%systemroot%\System32\svchost.exe"
 TargetProgram="%systemroot%\System32\svchost.exe", TargetArguments="&ci; * -k rpcss *", Program="%systemroot%\System32\svchost.exe"
 TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%SescLU.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *"
 TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%SavUI.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *"
 TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *"
 TargetProgram="%systemroot%\winsxs\*\tiworker.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *"
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%programfiles%\*\Microsoft Shared\Office*\Office Setup Controller\setup.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *"
 TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 rpcss inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 epmap (135)
 http-rpc-epmap (593)
 Inbound udp port list
 List of Inbound udp ports
 epmap (135)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 rpcss outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 epmap (135)
 http-rpc-epmap (593)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the RPC Service may not run
 List of programs the RPC Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the RPC Service may run if using specific arguments
 List of programs the RPC Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Remote Registry Service [regsvc_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 regsvc inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 regsvc outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Remote Registry Service may not run
 List of programs the Remote Registry Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Remote Registry Service may run if using specific arguments
 List of programs the Remote Registry Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Service Control Manager [svc_launch_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\system32\userinit.exe", Program="%systemroot%\System32\services.exe"
 TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\System32\services.exe"
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%systemroot%\System32\lsass.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 scm inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="ntp (123)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 scm outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Programs the Service Control Manager may not run
 List of programs the Service Control Manager may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Service Control Manager may run if using specific arguments
 List of programs the Service Control Manager may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Secondary Logon [runas_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 runas inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 runas outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Secondary Logon Service may not run
 List of programs the Secondary Logon Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Secondary Logon Service may run if using specific arguments
 List of programs the Secondary Logon Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Simple TCP/IP Services [tcpsvc_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 tcpsvcs inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 bootps (67)
 bootpc (68)
 high (1024-65535)
 printer (515)
 Inbound udp port list
 List of Inbound udp ports
 bootps (67)
 bootpc (68)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 tcpsvcs outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 ldap (389)
 ldaps (636)
 domain (53)
 Outbound udp port list
 List of outbound udp ports
 bootps (67)
 bootpc (68)
 domain (53)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Simple TCP/IP Services may not run
 List of programs the Simple TCP/IP Services may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Simple TCP/IP Services may run if using specific arguments
 List of programs the Simple TCP/IP Services may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 SNMP Service [snmp_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 snmp inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 snmp (161)
 snmptrap (162)
 Inbound udp port list
 List of Inbound udp ports
 snmp (161)
 snmptrap (162)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 snmp outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound udp port list
 List of outbound udp ports
 snmptrap
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the SNMP Service may not run
 List of programs the SNMP Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the SNMP Service may run if using specific arguments
 List of programs the SNMP Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Startup Processes [system_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\csrss.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe"
 Block unusual memory permission changes
 Exceptions for unusual memory permission changes
 List of program exceptions for unusual memory permission changes
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsass.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe"
 Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe"
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="*", Program="%systemroot%\System32\lsass.exe"
 TargetProgram="*", Program="%systemroot%\System32\winlogon.exe"
 TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\System32\csrss.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 system inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", RemoteIP="sandbox specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 system outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Programs the Startup Services may not run
 List of programs the Startup Services may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Startup Services may run if using specific arguments
 List of programs the Startup Services may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Task Scheduler Service [mstask_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 mstask inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 mstask outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Task Scheduler may not run
 List of programs the Task Scheduler may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Task Scheduler may run if using specific arguments
 List of programs the Task Scheduler may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Telephony [tapisrv_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k tapisrv *"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 tapisrv inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 tapisrv outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Telephony Service may not run
 List of programs the Telephony Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Telephony Service may run if using specific arguments
 List of programs the Telephony Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Terminal Services [termsrv_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsm.exe"
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\System32\svchost.exe"
 TargetProgram="%systemroot%\System32\csrss.exe", Program="%systemroot%\System32\svchost.exe"
 TargetProgram="%systemroot%\System32\logon.scr", Program="%systemroot%\System32\svchost.exe"
 TargetProgram="%systemroot%\System32\rdpclip.exe", Program="%systemroot%\System32\svchost.exe"
 TargetProgram="*", Program="%systemroot%\system32\lsm.exe"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 termsrv inbound address list
 Any
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 ms-wbt-server (3389)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 termsrv outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 epmap (135)
 ldap (389)
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the Terminal Services may not run
 List of programs the Terminal Services may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Terminal Services may run if using specific arguments
 List of programs the Terminal Services may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Windows Internet Name Service (WINS) [wins_ps]
 Basic Options
 Enable WINS management
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Network Controls
 Inbound
 Components
 Inbound hosts list
 wins inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 netbios-ns (137)
 high (1024-65535)
 nameserver (42)
 Inbound udp port list
 List of Inbound udp ports
 nameserver (42)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 wins outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 nameserver
 Outbound udp port list
 List of outbound udp ports
 nameserver
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the WINS Service may not run
 List of programs the WINS Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the WINS Service may run if using specific arguments
 List of programs the WINS Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Windows Management Instrumentation [wmisvc_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\WBEM\WMIPRVSE.EXE", Module Path="\WINDOWS\SYSTEM32\DPCDLL.DLL"
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\WBEM\WMIPRVSE.EXE", Module Path="\WINDOWS\SYSTEM32\LICDLL.DLL"
 Block unusual memory permission changes
 Block turning off Data Execution Prevention (DEP)
 Process Access Controls
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\system32\wbem\wmiprvse.exe", SignatureFlags="N00000020"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 winmgmt inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 high (1024-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Deny
 Default inbound rule log setting
 Log
 Outbound
 Components
 Outbound hosts list
 winmgmt outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 ldap (389)
 epmap (135)
 msft-gc
 msft-gc-ssl
 msexch-routing (691)
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Deny
 Default outbound rule log setting
 Log
 Sandbox Execution Options
 Programs the WMI Service may not run
 List of programs the WMI Service may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the WMI Service may run if using specific arguments
 List of programs the WMI Service may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Windows Netsvcs Services [netsvcs_ps]
 Advanced Options
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Block unusual memory allocations
 Exceptions for unusual memory allocations
 List of program exceptions for unusual memory allocations
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe"
 Block unusual memory permission changes
 Exceptions for unusual memory permission changes
 List of program exceptions for unusual memory permission changes
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe"
 Block turning off Data Execution Prevention (DEP)
 Exceptions for turning off Data Execution Prevention (DEP)
 List of program exceptions for turning off DEP
 Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe"
 Process Access Controls
 Full Access Process Access Controls
 Allow full access to these processes
 List of processes to give full access to
 TargetProgram="*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\System32\slui.exe", Program="%systemroot%\system32\sppsvc.exe"
 TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\sppsvc.exe"
 TargetProgram="%systemroot%\System32\svchost.exe", Program="%systemroot%\system32\sppsvc.exe"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k LocalService *", Program="%systemroot%\system32\SLsvc.exe"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\consent.exe"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *"
 TargetProgram="*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *"
 TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k termsvcs *", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\system32\wininit.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\system32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\system32\msiexec.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="*", Program="%systemroot%\system32\audiodg.exe"
 TargetProgram="%programfiles%\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%programfiles%\Windows Media Player\wmpnetwk.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\System32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%programfiles%\Adobe\Reader *\Reader\AcroRd32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%ProgramFiles%\Symantec\Symantec Endpoint Protection\*\Bin\ccSvcHst.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\system32\lsass.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%ProgramFiles%\Microsoft Office\Office*\OUTLOOK.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\Explorer.EXE", Program="%systemroot%\system32\SearchProtocolHost.exe"
 TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="%systemroot%\system32\vssvc.exe", Program="%systemroot%\system32\svchost.exe"
 TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Chrome\Application\chrome.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="\Device\HardDiskVolume?\Program Files\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%systemroot%\system32\*.scr", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 TargetProgram="%systemroot%\softwaredistribution\download\*.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 No-Access Process Access Controls
 Block and log all access to these processes as trivial
 List of processes that should not be accessed
 TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISIPSService.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISManager.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *"
 Resource Lists
 Writable Resource Lists
 Allow modifications to these files
 List of files that can be modified
 Value="%systemroot%\softwaredistribution\download\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *"
 Allow modifications to these Registry keys
 List of Registry keys that can be modified
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\VSS\Diag\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *"
 Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows*\CurrentVersion\SPP*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *"
 Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *"
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *"
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *"
 Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\W32Time\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 netsvcs inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 Netsvcs outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 ntp (123)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 SysCall Options
 Allow creation of hardlinks
 Sandbox Execution Options
 Programs the Windows Netsvcs Services may not run
 List of programs the Windows Netsvcs Services may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Windows Netsvcs Services may run if using specific arguments
 List of programs the Windows Netsvcs Services may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Windows Update [windows_update_ps]
 Memory Controls
 Enable Buffer Overflow Detection
 Network Controls
 Inbound
 Components
 Inbound hosts list
 windows updates inbound address list
 Any
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 high (1024-65535)
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 windows update outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 SysCall Options
 Allow mounting of filesystems
 Allow creation of hardlinks
 Sandbox Execution Options
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Trusted Updater Sandbox Options
 SDCSS Updater Sandbox [sdcss_updater_ps]
 Protection Categories
 Software Installation Restrictions
 Block modifications to Startup folders
 Network Controls
 Inbound
 Components
 Inbound hosts list
 full_int inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 high (1024-65535)
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 full_int outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 SysCall Options
 Allow mounting of filesystems
 Allow creation of hardlinks
 Sandbox Execution Options
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Trusted Updater Sandbox [trusted_updater_ps]
 Protection Categories
 Obey Global Resource List Restrictions
 Memory Controls
 Enable Buffer Overflow Detection
 Network Controls
 Inbound
 Components
 Inbound hosts list
 fully open, self protection enabled inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 high (1024-65535)
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 fully open, self protection enabled outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Generic Sandbox Options
 Fully Open Sandbox [fullopen_ps]
 Network Controls
 Inbound
 Components
 Inbound hosts list
 full_int inbound address list
 Any
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 high (1024-65535)
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 full_int outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 SysCall Options
 Allow mounting of filesystems
 Allow creation of hardlinks
 Sandbox Execution Options
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Fully Open Sandbox with Self Protection Enabled [fullopen_spe_ps]
 Memory Controls
 Enable Buffer Overflow Detection
 Network Controls
 Inbound
 Components
 Inbound hosts list
 fully open, self protection enabled inbound address list
 Any
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 high (1024-65535)
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 fully open, self protection enabled outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Basic Sandbox [basic_ps]
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Memory Controls
 Enable Buffer Overflow Detection
 Process Access Controls
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%systemroot%\System32\lsass.exe", Program="%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\InstallPath%%vmtoolsd.exe", SignatureFlags="N00010000"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 custom_int inbound address list
 Any
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 Any (0-65535)
 Inbound udp port list
 List of Inbound udp ports
 Any (0-65535)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 custom_int outbound address list
 Any
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 Any (0-65535)
 Outbound udp port list
 List of outbound udp ports
 Any (0-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Programs the Basic Services may not run
 List of programs the Basic Services may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Basic Services may run if using specific arguments
 List of programs the Basic Services may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 Hardened Sandbox [hardened_ps]
 Protection Categories
 Obey All Other Application Data Restrictions
 Obey Global Resource List Restrictions
 Software Installation Restrictions
 Block modifications to executable files
 Block modifications to Startup folders
 Block registration of COM and ActiveX controls
 Block product registration
 Block the Windows Installer from running
 Block modifications to windows services
 Basic Operating System Restrictions
 Protect auto start locations
 Protect operating system resources
 Protect the raw local disk device
 Memory Controls
 Enable Buffer Overflow Detection
 Process Access Controls
 Limited Access Process Access Controls
 Block and log modifications to these processes as trivial
 List of processes that should not be modified
 TargetProgram="%systemroot%\System32\lsass.exe", Program="%%-ALL:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\InstallPath%%vmtoolsd.exe", SignatureFlags="N00010000"
 Resource Lists
 Writable Resource Lists
 Allow modifications to these files
 List of files that can be modified
 Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="%systemdrive%\users\*\AppData\Local\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="%systemdrive%\Documents and Settings\*\Local Settings\Temp\*", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot%%v?.*\csc.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Allow modifications to these Registry keys
 List of Registry keys that can be modified
 Value="\Registry\User\*\Software\Microsoft\SQL Server Management Studio\*\CLSID\*\InprocServer32", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="\Registry\User\*\Software\Microsoft\SQL Server Management Studio\*\CLSID\*\InprocServer32", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect", Program="%%-32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect", Program="%%-64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\*\Tools\ClientSetup\SqlToolsPath%%Ssms.exe", Publisher="Microsoft Corporation", SignatureFlags="Microsoft Signed"
 Network Controls
 Inbound
 Components
 Inbound hosts list
 std_int inbound address list
 Local IPs (v4 and v6)
 Global inbound hosts component
 Inbound tcp port list
 List of Inbound tcp ports
 epmap (135)
 Inbound udp port list
 List of Inbound udp ports
 epmap (135)
 Inbound network rules
 List of rules to control connections into this system
 LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific tcp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log"
 LocalPort="Any (0-65535)", RemoteIP="Any", Protocol="TCP", Action="Deny", Log="Log", SignatureFlags="Interactive Process"
 LocalPort="Any (0-65535)", RemoteIP="Any", Protocol="UDP", Action="Deny", Log="Log", SignatureFlags="Interactive Process"
 LocalPort="Any (0-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log"
 LocalPort="Any (0-65535)", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 Default inbound rule
 Default inbound rule action
 Allow
 Default inbound rule log setting
 Log when denied
 Outbound
 Components
 Outbound hosts list
 hardened outbound address list
 Local IPs (v4 and v6)
 Global outbound hosts component
 Outbound tcp port list
 List of outbound tcp ports
 ldap (389)
 http (80)
 https (443)
 epmap (135)
 Outbound udp port list
 List of outbound udp ports
 high (1024-65535)
 Outbound network rules
 List of rules to control outbound network connections
 RemoteIP="Local IPs (v4 and v6)", RemotePort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="Local IPs (v4 and v6)", RemotePort="Any (0-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log", SignatureFlags="Interactive Process"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="sandbox specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log", SignatureFlags="Interactive Process"
 LocalPort="sandbox specific udp inbound port component", RemoteIP="sandbox specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log"
 RemoteIP="Any", RemotePort="Any (0-65535)", Protocol="TCP", Action="Deny", Log="Log", SignatureFlags="Interactive Process"
 RemoteIP="Any", RemotePort="Any (0-65535)", Protocol="UDP", Action="Deny", Log="Log", SignatureFlags="Interactive Process"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log"
 RemoteIP="sandbox specific outbound hosts component", RemotePort="Any (0-65535)", Protocol="UDP", Action="Allow", Log="Do not log"
 Default outbound rule
 Default outbound rule action
 Allow
 Default outbound rule log setting
 Log when denied
 Sandbox Execution Options
 Programs the Hardened Services may not run
 List of programs the Hardened Services may not run
 Program="%-global_svc_child_norun_list:prog%", Arguments="%-global_svc_child_norun_list:cmdline%", User="%-global_svc_child_norun_list:id%", Group="%-global_svc_child_norun_list:groupid%", Hash="%-global_svc_child_norun_list:hash%", Publisher="%-global_svc_child_norun_list:pub%", SignatureFlags="%-global_svc_child_norun_list:sigflags%"
 Programs the Hardened Services may run if using specific arguments
 List of programs the Hardened Services may run if using specific arguments
 Program="%-global_svc_child_norun_except_list:prog%", Arguments="%-global_svc_child_norun_except_list:cmdline%", User="%-global_svc_child_norun_except_list:id%", Group="%-global_svc_child_norun_except_list:groupid%", Hash="%-global_svc_child_norun_except_list:hash%", Publisher="%-global_svc_child_norun_except_list:pub%", SignatureFlags="%-global_svc_child_norun_except_list:sigflags%"
 Block execution of files with non-executable extensions
 Module Execution
 Modules to route to the Fully Open sandbox
 List of modules to route to the Fully Open sandbox
 %-global_fully_open_sandbox_module_list%
 ReadOnly Sandbox [remote_file_ps]
 Block execution of files with non-executable extensions
 Block modifications to windows services