Managing Path Rules

For some applications, Application Control based on file signatures does not work. Ivanti Device and Application Control allows you to authorize executable files to run from a specified file path, without checking for authorization from a central listing.

A fundamental principle of authorization by path rules is that the path leads to a trusted source. You can add an additional layer of application control for file authorization by path rule; Ivanti Device and Application Control can verify the identity of the file owner and execute only files that belong to trusted owners. When you activate the Ownership Check for a path rule, Ivanti Device and Application Control only permits execution of files owned by a user who is a Trusted Owner.

You can assign path rules to:

  • All users
  • A specific user group
  • A specific user

Column Definitions

The following table describes the columns in the Path Rules dialog.

Option

Description

Ownership Check

The path rule only applies if a user or user group is listed as a Trusted Owner in the Set Trusted Owner dialog.

Include subdirectories

The path rule applies to all files in subfolders of the root folder specified by the file path.

Log Execution

The path rule attempt is logged as EXEC-GRANTED when the Log everything option is set for the Execution Log default option.

Path Rules Conventions

Path rules are governed by conventions that allow you to select multiple files for path rule authorization, to reduce administrative burden.

A path name can be up to 900 characters long and consist of the following:

  • Root specifier
  • Path specifier
  • Filename specifier

The root specifier can be a:

  • Root token
  • Drive letter
  • Server or computer name

The path specifier is the file path name relative to the root token that must start and end with a backslash and cannot include wild cards.

The file specifier is the file name. The asterisk and question mark wild cards are allowed.

You can use the following variables:

  • %SystemRoot%
  • %SystemDrive%
  • %ProgramFiles%
  • %ProgramFiles(x86)%
  • %ProgramData%
  • %HomePath%
  • %AppData%
  • %LocalAppData%

Caution: There is no warning notification when you specify a nonexistent file or directory that cannot be located.

Path Rules Precedence

The following rules apply to using path rules:

  • You can adjust Windows NTFS path security properties.
  • You can only authorize executable files using path rules.
  • New path rules are effective after you send an update to the client computers.
  • You can define a path rule that applies to all users and a second path rule that applies to a specific user that shares a subset of common files defined by the first path rule.
  • Path rules are cumulative.
  • A path rule assigned to a user group can not run an authorized file for a user that is not a group member.
  • You can export one or more path rules to a .csv file to create a custom report.

Related Information