ENS Exploit Prevention supports Expert rules (behavioral AAC rules) that depend on the DAC feature available with ENS ATP.

DAC contains a process on the following basis:

1. Reputation of the process or file
2. User set Rule Assignment and Action Enforcement in the ATP configuration

The Exploit Prevention Expert Rules that depend on DAC are created to monitor behaviors of the process successfully contained by DAC.

Recommended settings for DAC-based Expert rules:

1. Open ENS.
2. Launch the ATP feature.
   • Enable: Enable Adaptive Threat Protection feature.
   • Disable: Enable Observe mode feature.
3. Open Action Enforcement.
   • Enable Trigger Dynamic Application Containment when reputation threshold reaches feature.
   • Select the reputation threshold for DAC containment as per your environment needs and security posture. 

What reputation threshold should DAC be set at for Exploit Prevention Expert Rules to trigger?
The reputation threshold levels available with the ENS ATP 10.7.x are as follows:

• Might be Trusted
• Unknown (default for the Security rule group)
• Might be Malicious (default for the Balanced rule group)
• Most Likely Malicious (default for the Productivity rule group)
• Known Malicious 

Exploit Prevention rule behavior for different Rule Assignments Type and Action Enforcement settings:

Rule Assignment Type	Action Enforcement			Process Reputation set by DAC	Exploit Prevention Rule behavior
	(Reputation set for below actions)
	Trigger DAC containment	Block	Clean
Balanced	Might be Malicious	Most Likely Malicious	Known Malicious	Might be Trusted	Doesn't trigger
	Might be Malicious	Most Likely Malicious	Known Malicious	Unknown	Doesn't trigger
	Might be Malicious	Most Likely Malicious	Known Malicious	Might be Malicious	Trigger observed
	Might be Malicious	Most Likely Malicious	Known Malicious	Most Likely Malicious	Trigger observed
	Might be Malicious	Most Likely Malicious	Known Malicious	Known Malicious	Trigger observed
Productivity	Most Likely Malicious	Known Malicious	Disabled	Might be Trusted	Doesn't trigger
	Most Likely Malicious	Known Malicious	Disabled	Unknown	Doesn't trigger
	Most Likely Malicious	Known Malicious	Disabled	Might be Malicious	Doesn't trigger
	Most Likely Malicious	Known Malicious	Disabled	Most Likely Malicious	Trigger observed
	Most Likely Malicious	Known Malicious	Disabled	Known Malicious	Trigger observed
Security	Unknown	Might be Malicious	Known Malicious	Might be Trusted	Doesn't trigger
	Unknown	Might be Malicious	Known Malicious	Unknown	Trigger observed
	Unknown	Might be Malicious	Known Malicious	Might be Malicious	Trigger observed
	Unknown	Might be Malicious	Known Malicious	Most Likely Malicious	Trigger observed
	Unknown	Might be Malicious	Known Malicious	Known Malicious	Trigger observed

 
ENS will contain any application with a threshold equal to or higher than the DAC reputation threshold.

• View the ENS Product Guide for how the reputation of a process is determined. 
• KB87843 - Dynamic Application Containment rules and best practices lists the best practices for the DAC feature.
  Determine the containment threshold, based on the environment and the required results.