When a system access point is violated, the action taken depends
on how the rule was configured:
-
If the rule was configured to report, information is recorded in
the log file.
-
If the rule was configured to block, then the access is
blocked.
Review the log file to determine which system access points were
violated and which rules detected the violations, then configure
the access protection rules to allow users access to legitimate
items and prevent users from accessing protected items.
Use these scenarios to decide which action to take as a
response.
|
Detection Type |
Scenarios |
| Unwanted processes
|
- If the rule reported the violation in the log file but did not
block the violation, select the Block option for the rule.
- If the rule blocked the violation but did not report the
violation in the log file, select the Report option for the rule.
- If the rule blocked the violation and reported it in the log
file, no action is necessary.
- If you find an unwanted process that was not detected, edit the
rule to include it.
|
| Legitimate processes
|
- If the rule reported the violation in the log file but did not
block the violation, deselect the Report option for the rule.
- If the rule blocked the violation and reported it in the log
file, edit the rule to exclude the legitimate process.
|
|