none
SRP blocking all exe in a folder is not applied to sublfolders

    Question

  • Hello,
    Following the Technet documentation saying about path rules :
    "A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Software restriction policies support local and Uniform Naming Convention (UNC) paths." (https://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx) or
    "A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported." (https://technet.microsoft.com/en-us/library/bb457006.aspx),
    we have create a path rule disallowing c:\aa\*.exe

    The problem is when applying this policy, an exe file located in c:\aa\bb\ can be executed.
    To disallow that we have to had another path rule specifying c:\aa\bb\*.exe

    But again, in subfolders you are allowed to execute any exe file.

    Are we doing something wrong or is the documentation on technet wrong ?

    Thanks in advance for your help.

    Marc

    Monday, January 11, 2016 1:54 PM

Answers

All replies

  • > we have create a path rule disallowing c:\aa\*.exe
     
    This is not a folder, but a file. Omit the "\*.exe" part.
     
    Monday, January 11, 2016 4:16 PM
  • Oh, ok.
    So if I only wanted to block exe but, let's say allow the mdb extension, in a folder and its subfolders, I would have to configure a path rule (only the folder path, no *.mdb extension) and then configure the Designated File Types (removing the mdb extension from the list).

    Thank you very much, I hadn't understood like this at first :-)

    Marc

    Tuesday, January 12, 2016 7:46 AM