App Control: How To Use Windows Path Macros in a Custom Rule

By CB_Support posted Nov 17, 2022 04:48 PM

Recommend

Environment

App Control Console: All Supported Versions
App Control Windows Agent: All Supported Versions

Objective

How to properly match a Windows Path Macro in App Control against the Windows operating system.

Resolution

The Windows Path Macros in App Control will be expanded by the Agent according to either the CSIDL or KNOWNFOLDERID depending on the version of Windows the Agent is installed on.

Windows Vista and later will use KNOWNFOLDERID.
Older versions of Windows will use CSIDL.

It is important to verify the Macro being used will expand correctly based on the operating system in use on the endpoint, as the Known Folder ID could expand differently than the CSIDL would. As an example:

Example: <CommonAppData>\Acme Accounting\*.dll

FOLDERID_ProgramData: C:\ProgramData\Acme Accounting\*.dll
CSIDL_COMMON_APPDATA: C:\Documents and Settings\All Users\Application Data\Acme Accounting\*.dll

Additional Notes

Currently the use of Wildcards inside a Path Macro is not supported.
Path Macros can only be used at the beginning of the specified Path (no other text before it).
OnlyIf and Registry Macros can be used anywhere in the specified Path.
The full list of Windows Path Macros can be found on VMware Docs > Server Documentation > relevant version > Custom Software Rules > Specifying Paths and Processes > Using Macros in Rules.
Path Macros represent a directory and a delimiter (slash or backslash) will be added automatically if it is not added in the Path.
If a Custom Rule is expected to be effective as soon as possible after a user logs on, do not use any of the Per User Macros, and do not specify a User Group in the Custom Rule. Rules that specify a username or SID are always active and won't be affected by this delay.

Blog Viewer