Managing Path Rules
For some applications, Application Control based on file signatures does not work. Ivanti Device and Application Control allows you to authorize executable files to run from a specified file path, without checking for authorization from a central listing.
A fundamental principle of authorization by path rules is that the path leads to a trusted source. You can add an additional layer of application control for file authorization by path rule; Ivanti Device and Application Control can verify the identity of the file owner and execute only files that belong to trusted owners. When you activate the Ownership Check for a path rule, Ivanti Device and Application Control only permits execution of files owned by a user who is a Trusted Owner.
You can assign path rules to:
- All users
- A specific user group
- A specific user
Column Definitions
The following table describes the columns in the Path Rules dialog.
|
Option |
Description |
|---|---|
|
Ownership Check |
The path rule only applies if a user or user group is listed as a Trusted Owner in the Set Trusted Owner dialog. |
|
Include subdirectories |
The path rule applies to all files in subfolders of the root folder specified by the file path. |
|
Log Execution |
The path rule attempt is logged as EXEC-GRANTED when the Log everything option is set for the Execution Log default option. |
Path Rules Conventions
Path rules are governed by conventions that allow you to select multiple files for path rule authorization, to reduce administrative burden.
A path name can be up to 900 characters long and consist of the following:
- Root specifier
- Path specifier
- Filename specifier
The root specifier can be a:
- Root token
- Drive letter
- Server or computer name
The path specifier is the file path name relative to the root token that must start and end with a backslash and cannot include wild cards.
The file specifier is the file name. The asterisk and question mark wild cards are allowed.
You can use the following variables:
- %SystemRoot%
- %SystemDrive%
- %ProgramFiles%
- %ProgramFiles(x86)%
- %ProgramData%
- %HomePath%
- %AppData%
- %LocalAppData%
Caution: There is no warning notification when you specify a nonexistent file or directory that cannot be located.
Path Rules Precedence
The following rules apply to using path rules:
- You can adjust Windows NTFS path security properties.
- You can only authorize executable files using path rules.
- New path rules are effective after you send an update to the client computers.
- You can define a path rule that applies to all users and a second path rule that applies to a specific user that shares a subset of common files defined by the first path rule.
- Path rules are cumulative.
- A path rule assigned to a user group can not run an authorized file for a user that is not a group member.
- You can export one or more path rules to a .csv file to create a custom report.
- Creating a Path Rule for All Users
You can authorize executable files from a specified location of all users and user groups, designated by path. - Creating a Path Rule for a User or User Group
You can authorize executable files from a specified location of specific users and user groups, designated by path. - Modifying a Path Rule
You can edit a path rule assigned to a user or user group. - Deleting a Path Rule
You can delete a specific path rule for selected users or user groups. - Defining a Trusted Owner
You can identify file owners to execute files only from Trusted Owners. - Deleting a Trusted Owner
You can remove Trusted Owner assignments from path rules.
Related Information
- Synchronizing Domains
- Database Clean Up
- Defining User Access
- Defining Default Options
- Defining Spread Check
- Sending Permissions and File Authorization Updates to Computers
- Exporting Permissions and File Authorization Settings
- Working with Endpoint Maintenance
- CPA Compliance Mode Configuration Window