Rule Collection Add File
The Add a File dialog is used to define a file rule item. This item will be added to the Rule Collection node.
- Select a Rule Collection node.
- Right-click and select File.
The Add a File dialog displays.
Properties
- Enter the File name or click the ellipsis (...) in the text box to browse to the select the file.
- In the Open dialog, navigate to the file that you want to add and click OK.
- If required, you can select the following:
- Substitute environment variables where possible
- Use regular expression
- Enter optional command line arguments in the Arguments text box. Enter all arguments as they appear in Process Explorer.
Command line arguments extend the matching criteria beyond what is entered in the File field. If an argument is added, both file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such as flags, switches, files, and Guids, can be added.
Denied File |
Allowed File |
Result |
---|---|---|
shutdown.exe |
shutdown.exe Arguments: -r -t 30 |
shutdown.exe runs only when -r -t 30 is on the command line - anything else run by shutdown.exe is denied. |
To configure the arguments of an allowed or denied item correctly, they must appear as they do in Process Explorer for example:
File: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
Command line: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\example.docx
Would be configured as:
File: Absolute or relative path of winword.exe
Arguments: /n C:\example.docx
If required, enter an optional description of the file for your future reference.
Metadata
- To add metadata to the file, select the Metadata tab.
- To automatically complete the fields select Populate metadata from file.
- The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.
You can refine any of the data; select the required check box and edit the fields. - If Vendor metadata is enabled, a further option becomes available:
- Verify certificate at runtime - when this option is enabled, the agent verifies the certificate whilst it is matching the file.
- Click Verify Options to access a further set of criteria, used during file matching.
- Click Add to add the file to the Rule Collection.
For further information, see Verify Options.