Security Controls

Rule Collections

Rule Collections is a library for compiling reusable groups of files, folders, drives and file hashes that can be associated with rule sets in the configuration. For example a collection can be used to manage common sets of applications for assigning to certain user groups.

Use collections to manage long lists of related items for an application, for example, the file, folder, and file hash items. A collection can include any combination of these items. For example you can group a number of items for one particular application and then add the collection to the Allowed or Denied lists.

Rule Collections can be created to manage executable controls and privilege management.

In this section:

Create a Rule Collection

Add Items to a Rule Collection

Delete a Rule Collection

Add Rule Collections to a Rule Set

Remove Rule Collections from a Rule Set

Capture File Hashes in a Rule Collection

Create a Rule Collection

1.In the Application Control Configuration Editor navigate to the Rule Collections node.

2.Select the Executable Control Rule Collections node or the Privilege Management Rule Collections node.

3.Right-click and select Add Rule Collection.

4.A new node is added with the default name New Rule Collection appended with a number. Double click the collection to make the name editable and enter a unique meaningful name.

If the Rule Collection name is amended, it automatically updates in any rule set where it is applied.

5.To sort the collections alphabetically you can click on the table header in the work area to toggle ascending or descending. Alternatively, right-click the Rule Collection root level and select either Ascending or Descending.

Add Items to a Rule Collection

Any combination of Files, Folders, Drives (applicable to executable control collections only) or Files Hashes can be added to a collection.

1.Navigate to the Rule Collections node and select the collection you want to add items to.

2.Right-click and select the required Item type from the shortcut menu:

Rule Collection Add File

Rule Collection Add Folder

Rule Collection Add Drive (for executable control rule collections only)

Rule Collection Add File Hash

Click on any of the above item types for help on the relevant add item dialog.

3.Once all fields have been completed on the relevant add item dialog, click Add. The item can then be seen in the collection work area.

Delete a Rule Collection

You can delete a rule collection. When a collection is deleted all items within the collection are also deleted. If you try to delete a collection that is currently used by a rule set, a dialog displays that tells you where the rule is used. You must remove the collection from the rule set first before you can delete the collection.

1.Select the Rule Collection you want to delete.

2.Right-click and select Remove Rule Collection.

3.The dialog that displays next depends on whether the Rule Collection is being used by any Rule Sets.

If the Rule Collection is not being used; the Confirm Removal dialog displays. Click Yes to delete the Rule Collection and the items it contains.

If the Rule Collection is being used; the Rule Collections In Use dialog displays with a list of Rule Sets that reference the Rule Collection. Click OK and go and remove the collection from the applicable rule sets. Once the Rule Collection has been disassociated proceed with the Remove Rule Collection option as before.

Add Rule Collections to a Rule Set

You can add rule collections to Rules Sets > Executable Control > Allowed/Denied and Rule Sets > Privilege Management > Application/Self-Elevation, eliminating the need to add items individually .

1.Select one of the following to add a rule collection to:

Rule Sets > [Rule Set] > Executable Control right-click and select either Allowed or Denied

Rule Sets > [Rule Set] > Privilege Management > right-click and select Application or Self-Elevation

2.Right-click and select Rule Collection. The Rule Collection selection dialog displays.

3.Select Add to Rule for each Rule Collection that you want to add to the rule and click OK.

The rule collection is added to the rule.

Remove Rule Collections from a Rule Set

You can remove a rule collection from a rule set. The collection is not deleted and still remains under the Rule Collection node.

1. Select the rule set that contains the collection you want to remove.

The work area displays.

2.Select the collection you want to remove, right-click and select Remove Item .

The Remove Items dialog displays.

3.To continue with the removal select Yes.

The rule collection is removed.

Capture File Hashes in a Rule Collection

Use the File Hash Wizard to capture multiple digital hashes.

1.Select the collection that you want to add hashes to.

2.Right-click and select Launch File Hash Wizard from the shortcut menu.

The File Hash Wizard displays.

3.On the Search method window select to do one of the following:

Search folders - scans all executable and script based files in the selected folder and automatically calculates the digital hashes. Go to Step 5.

Examine a running process - allows you to select a process that is currently running. The process, along with all executable files it has currently loaded, is scanned and digital hashes calculated. Go to Step 9.

If a file is found for which the hash has already been calculated a notification of a duplicate is displayed. There is no need for a duplicate hash in a configuration. If the files are updated by means of, for example, a product level, you can select the rule collection and choose to re-scan. All of the digital hashes are automatically updated and the new configuration can be deployed.

4.Select Search folders and click Next.

The Searching folders dialog displays.

5.Browse to and select the folder you want to search and click OK.

6.Select the Include subfolders option as required and click Next to begin the search.

The Review Files window displays.

7.Review the files and click Next to capture the file hashes.

The File Hash Generation dialog displays

8.Go to Step 13.

9.Select Examine a running process.

10. Click Next.

The Examine a running process window displays showing all the running processes.

11.Select the process to examine and click Next.

The Review Files displays.

12.Review the files and click Next to capture the file hashes.

13.Allow the generation to complete then click Next and Finish.

Related Topics

Rule Sets

Group Rules

Privilege Management

About Executable Control


Was this article useful?