Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: What bad write rules should be prevented?

App Control: What bad write rules should be prevented?

Environment

  • App Control: All versions

Question

What bad write rules should be prevented?

Answer

The criteria for preventing the rule is if it is either:

A write rule + targetPublisher
A write rule + any of a list of macros (below)


A write rule is defined as:

File integrity control
File creation control
Performance optimization
Advanced rule with a write operation (in the UI this is Operation=Write or Operation=Both)
An expert rule with one or more of the following boxes checked
Write Intent
Write Delayed
Write
Create New
Mmap Write



Bad macros:

'<Sha256:', '<CertIssuer:', '<CertSerial:', '<CertSHA1:', '<CertMD5:', '<OnlyIf:BuildAttributes:',
'<OnlyIf:BuildTime:', '<OnlyIf:PrivateBuild:', '<OnlyIf:SpecialBuild:', '<OnlyIf:Comments:', '<OnlyIf:Company:',
'<OnlyIf:Copyright:', '<OnlyIf:Description:', '<OnlyIf:FileType:', '<OnlyIf:FileVersion:', '<OnlyIf:Language:',
'<OnlyIf:Manufacturer:', '<OnlyIf:OriginalName:', '<OnlyIf:PackageCode:', '<OnlyIf:ProductName:', '<OnlyIf:ProductCode:',
'<OnlyIf:ProductVersion:', '<OnlyIf:TargetOS:', '<OnlyIf:UpgradeCode:', '<OnlyIf:AboutURL:', '<OnlyIf:HelpURL:', '<OnlyIf:UpdateURL:'

Labels (1)
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎08-31-2022
Views:
135
Contributors