Allowed Items

In this section:

About Allowed Items

Add Allowed items to rule sets to grant users access to specific items without providing them with full administrative privileges. The Allowed items are displayed in the Allowed Items list under a selected rule set:

File

If a filename alone is specified, for example, myapp.exe, then all instances of this are allowed regardless of the location of the application. If the file is specified with the full path, for example, \\servername\sharename\myapp.exe, then only this instance of the application is allowed. Other instances of this application need to satisfy other Application Control rules to be granted execution.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Allowed > File.
    The Add a File dialog displays.
  3. In the Properties tab, click the ellipsis (...) in the text box:
  4. In the Open dialog, navigate to the file that you want to add and click OK.

    5. If required, you can select the following:

    • Substitute environment variables where possible
    • Use regular expression
  5. Enter optional command line arguments in the Arguments text box. Enter all arguments as they appear in Process Explorer.
    Command line arguments extend the matching criteria beyond what is entered in the File field. If an argument is added, both file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such as flags, switches, files, and Guids, can be added.

Denied File

Allowed File

Result

shutdown.exe

shutdown.exe

Arguments: -r -t 30

shutdown.exe runs only when -r -t 30 is on the command line - anything else run by shutdown.exe is denied.

To configure the arguments of an allowed or denied item correctly, they must appear as they do in Process Explorer for example:

File: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command line: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\example.docx

Would be configured as:

File: Absolute or relative path of winword.exe

Arguments: /n C:\example.docx

  1. If required, enter an optional description of the file for your future reference.
  2. Select Allow file to run even if it is not owned by a trusted owner to provide access to the file by a user that is not the trusted owner.

    3. By default, trusted ownership checking is enabled, therefore an application must always pass trusted ownership checking, even if the application is an allowed item, this setting allows you to bypass that. Although trusted ownership checking can be disabled completely, this is not recommended.

  3. Select Ignore Event Filtering to raise all events regardless of what has been set in the Events Selection.
  4. To add metadata to the file, select the Metadata tab.
  5. To automatically complete the fields select Populate metadata from file.

    6. The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.

    You can refine any of the data; select the required check box and edit the fields.

    If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.

    For further information, see Verify Options.

  6. To add access times select the Access Times tab.
  7. Access periods can only be assigned when you check Only allow files to run at certain times.
  8. To apply access times select the time period on the required day column, you can highlight multiple time slots.
  9. Right-click and select New Allowed Period the period becomes shaded to indicate allowed.
  10. Repeat steps 12-13 for as many time slots and days required.

    11. You can configure what action to take when the Access Times are exceeded in Configuration Settings > Executable Control >Access Times

  11. To add application limits, select the Application Limits tab.
  12. Select Enable application limits
  13. Enter the number of instances an application can be run by a user during a session. For example, if the limit is set to 1, and the user has 1 instance running and then attempts to run a 2nd instance, it will not be allowed to run. Note: this is applicable on a per user basis, not per machine.
  14. Click Add to add the file to the Allowed executables for the rule set.
    The file is added to the Allowed Items work area.

Folder

A complete folder may be specified, for example, \\servername\servershare\myfolder, and all applications within this folder, and all subfolders if required, allowed to execute. No checks are made on the files within the folder and as such any file copied into this folder will be allowed to execute. Select Include subfolders to include all directories beneath the specified directory. If you add a network file or folder path you must use the UNC name, as the Application Control agent ignores any paths that are configured where the Drive letter is not a local fixed disk. The user can access the network application through a network mapped drive letter, as the path is converted to UNC format before validating it against the configuration settings. To automatically apply environment variables, select Substitute environment variables where possible in the Add a file or Add a folder dialogs. This makes the paths more generic for applying on different machines. Wildcards support provides an additional level of control for specifying generic file paths.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Allowed > Folder.
    The Add a Folder dialog displays.
  3. In the Properties tab, click the ellipsis (...) in the text box:
  4. In the Open dialog, navigate to the folder that you want to add and click OK.

    5. If required, you can select the following:

    • Substitute environment variables where possible
    • Use regular expression
    • Include subfolders
  5. If required, enter an optional description of the folder for your future reference.
  6. Select Allow file to run even if it is not owned by a trusted owner to provide access to the files by a user that is not the trusted owner.

    7. By default, trusted ownership checking is enabled, therefore an application must always pass trusted ownership checking, even if the application is an allowed item, this setting allows you to bypass that. Although trusted ownership checking can be disabled completely, this is not recommended.

  7. Select Ignore Event Filtering to raise all events regardless of what has been set in the Events Selection.
  8. To add metadata to the folder, select the Metadata tab:
  9. To automatically complete the fields select Populate metadata from file.

    10. The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.

    You can refine any of the data; select the required check box and edit the fields.

    If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.

    For further information, see Verify Options.

  10. To add access times select the Access Times tab.
  11. Access periods can only be assigned when you check Only allow files to run at certain times.
  12. To apply access times select the time period on the required day column, you can highlight multiple time slots.
  13. Right-click and select New Allowed Period the period becomes shaded to indicate allowed.
  14. Repeat steps 12-13 for as many time slots and days required.

    15. You can configure what action to take when the Access Times are exceeded in Configuration Settings > Executable Control >Access Times

  15. Click Add to add the folder to the Allowed executable folders for the rule set.
    The folder is added to the Allowed work area.

Drive

You can specify a complete drive, for example; W, and all the applications on this drive are allowed to execute, including subfolders. No checks are made on the files in the drive so any file copied into any folder on this drive is allowed to execute.

Enables you to specify allowed executable drives.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Allowed > Drive.
    The Add a Drive dialog displays.
  3. Enter the Drive letter you want to allow and a description.
  4. Click Add to add the drive item to the Allowed executables list.

File Hash

A file may be added along with a digital hash of the file. This ensures that only that particular file may be executed but from any location.

Enables you to add allowed executable items by a file hash.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Allowed > File Hash.
    The Add a File Hash dialog displays.
  3. In the Properties tab, click the ellipsis (...) in the text box:
  4. In the Open dialog, navigate to the file hash that you want to add and click OK.
  5. Enter optional command line arguments in the Arguments text box. Enter all arguments as they appear in Process Explorer.
    Command line arguments extend the matching criteria beyond what is entered in the File field. If an argument is added, both file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such as flags, switches, files, and Guids, can be added.
  6. If required, enter an optional description of the file hash for your future reference.
  7. The file hash value is displayed, select Rescan to update the file hash.
  8. Select Ignore Event Filtering to raise all events regardless of what has been set in the Events Selection.
  9. To add access times select the Access Times tab.
  10. Access periods can only be assigned when you check Only allow files to run at certain times.
  11. To apply access times select the time period on the required day column, you can highlight multiple time slots.
  12. Right-click and select New Allowed Period the period becomes shaded to indicate allowed.
  13. Repeat steps 12-13 for as many time slots and days required.

    14. You can configure what action to take when the Access Times are exceeded in Configuration Settings > Executable Control >Access Times

  14. Click Add to add the file hash to the Allowed File Hash items for the rule set.
    The file hash item is added to the Allowed work area.

Rule Collection

A you can add a rule collection to the allowed items for any rule set.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Allowed > Rule Collection.
    The Rule Collection Selection dialog displays.
  3. Select the Add to Rule check box for the collection(s) that you want to the rule set.
  4. Once you have selected a collection you can select:
    • Allow Untrusted Owner - allows the files to run even if it is not owned by a trusted owner.
    • Ignore Event Filtering - raises all events regardless of what has been set in the Events Selection.
  5. Click OK to add the collection(s) to the Allowed Rule Collections for the rule set.
    The Rule collection is added to the Allowed work area.

Related Topics

Denied Items