Controlling access to the volume

This protection prevents applications from bypassing security checks that the file system of the system disk conducts, and makes it possible to access the raw volume directly.

In the rules, you can allow or prohibit access to the raw volume by the applications of your choice.

A single rule may suffice in whitelist mode to allow access to certain applications and block it for all other applications. You must create several rules if you want to select different log settings. In this case, define “Block” as the default behavior in only the last rule.

EXAMPLE
Example of a rule prohibiting all applications, except legitimate applications, from accessing the volume.

An application identifier must be created beforehand for applications that are allowed or not allowed to access the raw volume. For more information, refer to the section Creating application identifiers.

  1. Select the Policies menu and click on your policy.
  2. Select a rule set.
  3. Click on the ACL resources > Volume tab.
  4. If you are in read-only mode, click on Edit in the upper banner.
  5. Click on Add a rule (Volume). A new row appears.
  6. In the Access field in the Default behavior area of a protection rule, select the behavior that applies to all applications that may access the raw volume:
    • Allow to allow access to the volume by default,
    • Block to block access to the volume by default,
    • Block and kill to block access to the volume by default, and shut down the process that launched the action.
  7. Click on + Add a specific behavior and choose the resource(s) that you want to exclude from the default behavior. In the associated Access field, choose whether access to the volume must be allowed or blocked. You can also choose to block it and shut down the process that launched the action.
  1. In the upper banner in the rule, you can:
    • Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
      Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies.
    • Indicate whether the rule must generate an incident when it is applied.
    • Select the log settings that this rule will send.
    • Specify whether an action must be performed when a log is sent for this rule. You can choose to display a notification on the agent and/or run a script.
    • Enter a description to explain what this rule aims to achieve.
  2. The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
  3. Click on Save at the top right of the window to save changes.