Awhile back I created an Application Control rule as follows:
- Take the following action: Monitor
- when Current applications in any of the following selected classe: <First Time Application Execute>
- But not in any of the following selected classes: <none>
- attempt to run New applications in any of the following selected classes: <All Applications>
- But not in any of the following selected classes: <First Time Application Execute>
This rule isn't working as planned. I get a lot of repeat events. The help text for <First Time Application Execute> is "This application class includes the first invocation of any application which has never been observed to execute on this system." I'm wondering if that is reset after a period of time or a reboot.
I'm wondering if I have the classes backwards in my rule...
Also, in what scenarios is the "Add New Process to Application Class" and "Add Current Process to Application Class" actions best used?