I need a solution
I want to start tuning a policy, before I enable prevention mode. I created new custom sandbox and want a particular process (i.e. process x) to write to anything under "C:\windows\system32\". I added an new entry under "filew writes-> writetable resources resource lists -> allow modifications to these files" In the resource path I added c:windows\system32\*. I thought the wildcard will include anyting within system32, however after reaplying the policy I still see events of process x trying to write to files within system32. Any ideas what am I doing wrong? Thanks in advance for your help and suggestions.