Policy Rules

Expand Rules to do the following tasks:



View list of rules assigned to this policy.

Rules assigned to the policy appear in the table below the Assign Rule button.


Operating system applications considered safe by Certified Safe Software are allowed unless specifically blocked by a rule.

Assign rule to this policy.

Click Assign Rule, and then do one of the following:

  • To select existing rules to assign to the policy, select Existing. The Assign Existing Rules to Policy screen appears. Select the rule or rules to assign and then click Assign Rules.

  • To add a new rule and assign it to the policy, select one of the following rule types:

    The Add Rule screen appears. Edit the rule and then click Save & Assign.


    Settings on the Add Rule screen that appears are identical to those displayed if you go to Management > Rules to add or edit a rule. See Add or Edit Rule Screen.

Remove selected rules from this policy.

Select the rule or rules in the list, click Remove Selected, and then click Remove Selected again.

Rules removed from a policy are not deleted. To restore a rule, assign it to the policy again. To permanently delete a rule, use Delete Selected on the Rules Screen. See Rules Screen.

Expand Rules to configure the following policy settings for matched users and endpoints:

Policy Setting


Always allow all applications in the Windows directory (overrides block and lockdown rules)

By default, Endpoint Application Control allows all applications located in the Windows directory. This functions like an Allow rule for the Windows default path, overriding any Block or Lockdown rules.

See About Rule Priority.

Automatically apply Lockdown rules to endpoints while they are disconnected

Disconnected endpoints are unable to receive or apply new policies. By default, that means a disconnected endpoint continues applying its current policy.

Enable protection against suspicious objects (requires subscription to Control Manager)

Endpoint Application Control protects matched endpoints against suspicious objects.

Note: This feature requires that the suspicious object lists are configured on Control Manager and the Endpoint Application Control server subscribes to the Control Manager.

For details on suspicious object list configuration, see Trend Micro Control Manager Administrator's Guide.

For details on subscribing to Control Manager, see Subscribing to Suspicious Object Lists.

Use the more compatible, less feature-rich, user-level blocking method

Kernel-level blocking prevents applications from starting by blocking file access. This provides greater security, but may unexpectedly block or momentarily delay access to certain files needed by allowed applications. This feature is only supported on policies set to first match “User and Group” criteria (excluding the “SYSTEM” account).

User-level blocking allows applications to start and then stops them at the task level. This may be unable to stop certain applications after they start and does not support the Trusted Source feature and blocking of link libraries (DLLs) and Java interpreter applications.

To apply user-level blocking for matching policies, select this check box


Trend Micro recommends user-level blocking only if you are having problems with kernel-level blocking. See About Blocking Methods.

Only kernel-level blocking supports the Trusted Source feature. See About Trusted Sources.