Configuration Rules

App Control configurations can be built up with rules, these rules are then checked on the endpoint when a user attempts to execute a file, this works in addition to trusted ownership checking.

App Control rules do not apply to Administrators.

The configuration security level must be set to Restricted for the rules to take affect on the endpoints.

You can create App Templates to group items together. App templates can be used when creating or editing rules, to easily populate the source items list.

Rule types

Rules are used to group actions together under a common condition. Select the type of action for which you want to create a rule.

Allow: An allow rule grants access to specific items that may be restricted.

Deny: A deny rule prohibits access to specific items.

Elevate: An elevate rule allows access privileges to applications or components for a non-admin user.

Trusted Vendor: A Trusted Vendor rule grants run permissions for a specified vendor and item, when the item has a valid digital signature.

Creating a Rule

You can create a rule from within a configuration or from clicking within a chart on the Overview page:

Option 1 - Create a rule from the Configurations page

Navigate to App Control > Configurations.
The Configurations page appears.
In the table, locate the configuration you want to add a rule to, in the Actions column, click to open the actions menu.
Click Edit.
The Edit configuration page appears.
Alternatively, you can select to view the configuration before editing, to do this, on the Configurations page, click on a configuration Name.
The Configuration page appears.
Click the Edit button.
The Edit configuration page appears.
In the Rules table, click +Add new rule.
The Configuration: <name> page appears.
Select the type of rule you want to create and follow the steps in the relevant linked topic:

Option 2 - Create a rule from the Overview page (untrusted owners chart)

You can create an allow rule for the files that have been captured as being executed with untrusted owners.

Navigate to App Control > Overview.
The Overview page appears.
Click in the Applications executed with untrusted owners chart.
The Applications executed with untrusted owners page appears.
In the table, locate the file you want to create an allow rule for, then in the Actions column, click to open the options menu.
Click +Create Rule.
The Select a configuration dialog appears.
Select the configuration you want to create and add the rule to.
Click Create Rule.
The Configuration page for the selected configuration appears.
Follow the Allow rule creation process.

Option 3 - Create a rule from the Overview page (elevated privileges chart)

You can create an elevate rule for the files that have been captured as being executed with elevated privileges.

Navigate to App Control > Overview.
The Overview page appears.
Click in the Applications executed with elevated privileges chart.
The Applications executed with elevated privileges page appears.
In the table, locate the file you want to create an elevate rule for, then in the Actions column, click to open the options menu.
Click +Create Rule.
The Select a configuration dialog appears.
Select the configuration you want to create and add the rule to.
Click Create Rule.
The Configuration page for the selected configuration appears.
Follow the Elevate Rule creation process.

Rule Item Settings

The Rule Item Settings panel can be accessed from the rule What? page > Selected Items section > icon > Edit.

Properties tab

Display Name: Enter the file name that you want to appear in the Name column on the Rules table.
File: Enter the file or path that you want the rule to apply to. You can use wildcards to match multiple files, for example, C:\Program Files\*.exe will match all .exe files in the Program Files folder.
Accepted file types are: exe, bat, cmd, vbs, wsf, js, msi, msp, ps1, and reg.
- Use regular expression: Select to use regular expressions when matching the file or path.

Arguments: Enter all arguments as they appear in Process Explorer.
Command line arguments extend the matching criteria beyond what is entered in the File field. If a argument is added, both the file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such as flags, switches, files, and guids, can be added.
You can select to use regular expressions.
Example
Denied File Allowed File Result
shutdown.exe shutdown.exe
Arguments: -r -t 30 shutdown.exe runs only when -r -t 30 is on the command line, anything else run by shutdown.exe is denied.
To configure the arguments of an allowed or denied item correctly, they must appear as they do in Process Explorer.
File: C:\Windows\System32\shutdown.exe
Command line: C:\Windows\System32\shutdown.exe -r -t 30
Would be configured as:
File: Absolute or relative path of shutdown.exe
Arguments: -r -t 30

Denied File	Allowed File	Result
shutdown.exe	shutdown.exe Arguments: -r -t 30	shutdown.exe runs only when -r -t 30 is on the command line, anything else run by shutdown.exe is denied.

Description: Optionally, enter a description.
Options: Options available depend on Rule type.
- Allow file to run even if it is not owned by a trusted owner: Only applicable to an Allow Rule item.
  Trusted ownership checking is always enabled, therefore an application must always pass a trusted ownership check, even if the application is an allowed item. However, if you need to provide a user with access to an item that is not owned by a trusted owner select this option.
- Do not show access denied messaged when denied: Only applicable to a Deny Rule item.
  Select this option if you want to silently deny an item and not display the access denied messaged to the user.
  Customize the messaged in the Configuration Message Settings.
Policy: Only applicable to an Elevate Rule item.
- Apply to child processes: By default, the self elevation policy applied to rule items is not inherited by child processes. Select this option to apply the policy to the direct children of the parent process.
- Apply to common dialogs: Elevate access to the Open File and Save File Windows menu options when a file or folder has been elevated.
  To prevent users from modifying the filesystem with administrative privileges, this option should be left unselected.
- Install as trusted owner: Make the local administrator the owner of all items created by the defined application. This option is not applied to regular applications, only installer packages.
- Prompt the user before elevating: Select to display a self elevate prompt to the end user before elevating.
  Customize the message in Configuration Message Settings.
  - Requires a reason before elevating: Select to request the user enter a reason for elevation.

Metadata tab

Product Name: The name of the product.
- Use regular expression: Select to use regular expressions when matching the product name.
Vendor: The vendor name associated with the signature if the file has been digitally signed.
- Use regular expression: Select to use regular expressions when matching the vendor.
- Verify certificate at runtime: Select to verify the vendor certificate whilst it is matching the file.
  The integrity of the file is also verified to ensure the file has not been tampered with.
  This can impact performance if very large files are frequently run.

Company Name: The name of the company that produced the file.
- Use regular expression: Select to use regular expressions when matching the company name.
File Description: The file description.
- Use regular expression: Select to use regular expressions when matching the file description.
File Version The version range of the file to match.
- Minimum: The minimum version number of the file to include in the rule matching.
- Maximum: The maximum version number of the file to include in the rule matching.
Product Version The version range of the product to match.
- Minimum: The minimum version number to include in the rule matching.
- Maximum: The maximum version number to include in the rule matching.