Environment

• App Control Agent: All Supported Versions
• App Control Console: All Supported Versions

Objective

Resolution

1. Log in to the Console and navigate to Reports > Events.
2. Use the Filters or Saved Views to locate the matching Events, examples:
   • Saved View: New Files (Unapproved)  <and/or>
   • Filters: File Path > begins with:  <and/or>
   • Filters: Type > is > Discovery
3. Verify the Description of the Events:
   • DiscoveredBy: [Kernel:Execute] or [IntegrityCheck] indicates the Agent did not observe the file being written, and an Execution Control Rule likely will be needed instead.
   • DiscoveredBy: [Kernel:Write] or [Kernel:Create] or [Kernel:Rename] indicates the Agent observed the Process writing the File.
4. Use the Columns for Process, File Path, File Name and User to help create the File Creation Control Rule.

1. Navigate to Rules > Software Rules > Custom > Add Custom Rule.
2. Using the information determined in Step 1, create a Custom Rule using the following as an example:
   • Rule Name: Accounting Software Updater
   • Status: Enabled
   • Platform: Windows
   • Rule Type: File Creation Control
   • Write Action: Approve
   • Path or File: 

     C:\Program Files (x86)\Acme Accounting, Inc\*.dll

   • Process: 

     C:\Program Files (x86)\Acme Accounting, Inc\AcmeUpdater.exe

   • User or Group: Local System
   • Policies: <relevant Policies where software is expected>
3. Click Save & Exit.

Additional Notes

• File Creation Control rules instruct the Agent how to handle matching write operations.
• If the Discovery Events are only due to Kernel:Execute it's possible a Performance Optimization Rule or some other exclusion is instructing the Agent to ignore the write operations.
• By default the Agent does not block write operations.
• Unless a specific File Creation Control or File Integrity Control Rule has been created to block a matching write operation, there is no need to create a File Creation Control > Allow rule.