Managing Path Rules
For some applications, Application Control based on file signatures does not work. Ivanti Device and Application Control allows you to authorize executable files to run from a specified file path, without checking for authorization from a central listing.
A fundamental principle of authorization by path rules is that the path leads to a trusted source. You can add an additional layer of application control for file authorization by path rule; Ivanti Device and Application Control can verify the identity of the file owner and execute only files that belong to trusted owners. When you activate the Ownership Check for a path rule, Ivanti Device and Application Control only permits execution of files owned by a user who is a Trusted Owner.
You can assign path rules to:
- All users
- A specific user group
- A specific user
The following table describes the columns in the Path Rules dialog.
The path rule only applies if a user or user group is listed as a Trusted Owner in the Set Trusted Owner dialog.
The path rule applies to all files in subfolders of the root folder specified by the file path.
The path rule attempt is logged as EXEC-GRANTED when the Log everything option is set for the Execution Log default option.
Path Rules Conventions
Path rules are governed by conventions that allow you to select multiple files for path rule authorization, to reduce administrative burden.
A path name can be up to 900 characters long and consist of the following:
- Root specifier
- Path specifier
- Filename specifier
The root specifier can be a:
- Root token
- Drive letter
- Server or computer name
The path specifier is the file path name relative to the root token that must start and end with a backslash and cannot include wild cards.
The file specifier is the file name. The asterisk and question mark wild cards are allowed.
You can use the following variables:
Caution: There is no warning notification when you specify a nonexistent file or directory that cannot be located.
Path Rules Precedence
The following rules apply to using path rules:
- You can adjust Windows NTFS path security properties.
- You can only authorize executable files using path rules.
- New path rules are effective after you send an update to the client computers.
- You can define a path rule that applies to all users and a second path rule that applies to a specific user that shares a subset of common files defined by the first path rule.
- Path rules are cumulative.
- A path rule assigned to a user group can not run an authorized file for a user that is not a group member.
- You can export one or more path rules to a .csv file to create a custom report.
- Creating a Path Rule for All Users
You can authorize executable files from a specified location of all users and user groups, designated by path.
- Creating a Path Rule for a User or User Group
You can authorize executable files from a specified location of specific users and user groups, designated by path.
- Modifying a Path Rule
You can edit a path rule assigned to a user or user group.
- Deleting a Path Rule
You can delete a specific path rule for selected users or user groups.
- Defining a Trusted Owner
You can identify file owners to execute files only from Trusted Owners.
- Deleting a Trusted Owner
You can remove Trusted Owner assignments from path rules.
- Synchronizing Domains
- Database Clean Up
- Defining User Access
- Defining Default Options
- Defining Spread Check
- Sending Permissions and File Authorization Updates to Computers
- Exporting Permissions and File Authorization Settings
- Working with Endpoint Maintenance
- CPA Compliance Mode Configuration Window