Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system at a very granular level. Expert rules do not rely on Use-Mode hooking; hence they have very minimal impact on a system’s performance. This blog is created as a basic guide to show our customers how to create them and which threats they can help block. Further detailed information can be found in the conclusion.
How Expert Rules work
The following sections show how to add Expert rules via EPO and ENS.
Adding an Expert Rule from EPO
1. Select System Tree | Subgroup (e.g.: ens_10.6.0) | Assigned Policies | Product (Endpoint Security Threat Prevention) | Exploit Prevention (My Default)
2. Navigate to Signatures and click on Add Expert Rule.
3. In the Rules section, complete the fields.
a. Select the severity and action for the rule. The severity provides information only; it has no select on the rule action.
b. Select the type of rule to create. The Rule content field is populated with the template for the selected type.
c. Change the template code to specify the behavior of the rule.
When you select a new class type, the code in the Rule content field is replaced with the corresponding template code. Endpoint Security assigns the ID number automatically, starting with 20000. Endpoint Security does not limit the number of Expert Rules you can create.
4. Save the rule, then save the settings.
..
Support the originator by clicking the read the rest link below.
