06-21-2006 07:44 AM - edited 03-09-2019 03:20 PM
Folks,
Could someone please guide me the best way to edit the default rules on CSA MC. I would like to tune some of the rules and I am not sure how to change the default rules, may be copy them and change them and raise the priority???
Thanks
Solved! Go to Solution.
06-21-2006 02:26 PM
Use the wizard to create the exception. The default is it will create an exception to the policy by creating a new rule module and assigning it to the policy. Then you can see how the exception works and you can change the exception rather than the rule. This keeps the orignal rules unchanged but allows you to make any changes necessary to get your apps to work.
Tom S
06-21-2006 09:51 AM
Make exceptions to the rule rather than change the rule at first. You can change it later if you want.
Tom S
06-21-2006 12:35 PM
Tom,
Thanks for the response. I will surely rate all posts.
How do i creat exception to the rule and what would be the best way to change it? change the original rule or clone it edit it and then raise the priority.
Any help would be highly appreciated.
06-21-2006 02:26 PM
Use the wizard to create the exception. The default is it will create an exception to the policy by creating a new rule module and assigning it to the policy. Then you can see how the exception works and you can change the exception rather than the rule. This keeps the orignal rules unchanged but allows you to make any changes necessary to get your apps to work.
Tom S
06-21-2006 04:05 PM
Tom you are awesome! Please i would appreciate if you could assist a little more:
1) At the present time i am in a tunning process. I have 2 applications shouting all the time svchost and internet explorer trying to make changes to the registry. How do i tackle such problems?
If an application complains and i know that it is a valid application, how do i create an exception for it?
what about CSA complaining about IE trying to make changes to the regitry, what should i do about it?
06-22-2006 11:26 AM
The trick is to figure out what protection you want, put machines the necessary groups then start looking at events. You can pretty much guess what normal behavior is so you can tune those out first using the wizard to either allow the action, or deny and stop logging it (unless you want to see it). I would start out with very little protection at first and in test mode, then work your way up from there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide