Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
Objective
How to use Events in the Console to create a File Creation Control Rule.
Resolution
Step 1: Determine Matching Process and File Patterns:
- Log in to the Console and navigate to Reports > Events.
- Use the Filters or Saved Views to locate the matching Events, examples:
- Saved View: New Files (Unapproved) <and/or>
- Filters: File Path > begins with: <and/or>
- Filters: Type > is > Discovery
- Verify the Description of the Events:
- DiscoveredBy: [Kernel:Execute] or [IntegrityCheck] indicates the Agent did not observe the file being written, and an Execution Control Rule likely will be needed instead.
- DiscoveredBy: [Kernel:Write] or [Kernel:Create] or [Kernel:Rename] indicates the Agent observed the Process writing the File.
- Use the Columns for Process, File Path, File Name and User to help create the File Creation Control Rule.
Step 2: Create the Custom Rule:
- Navigate to Rules > Software Rules > Custom > Add Custom Rule.
- Using the information determined in Step 1, create a Custom Rule using the following as an example:
- Rule Name: Accounting Software Updater
- Status: Enabled
- Platform: Windows
- Rule Type: File Creation Control
- Write Action: Approve
- Path or File:
C:\Program Files (x86)\Acme Accounting, Inc\*.dll
- Process:
C:\Program Files (x86)\Acme Accounting, Inc\AcmeUpdater.exe
- User or Group: Local System
- Policies: <relevant Policies where software is expected>
- Click Save & Exit.
Additional Notes
- File Creation Control rules instruct the Agent how to handle matching write operations.
- If the Discovery Events are only due to Kernel:Execute it's possible a Performance Optimization Rule or some other exclusion is instructing the Agent to ignore the write operations.
- By default the Agent does not block write operations.
- Unless a specific File Creation Control or File Integrity Control Rule has been created to block a matching write operation, there is no need to create a File Creation Control > Allow rule.
#AppControl