This help page is for version 9.0. The latest available help is for version 9.4.
Trusted Application (Application Whitelisting) Statements
Each time a file is accessed, data about the file and also about the process accessing the file is made available to
Trusted Application Rules. The rules are evaluated and access to the file is either allowed or denied based on the outcome
of the evaluation. Rules are made up of logical checks against Statements.
Each statement below evaluates to True or False, or to a string value for the file access that is being checked. Comparisons (such as
comparing a value to a string) are case insensitive. You can read more about each statement below.
Note that file extensions don't guarantee the type of file but serve as a hint in most cases.
- FILE_EXTENSION
- Evaluates to a string containing the file extension including dot. Example: (FILE_EXTENSION = ".exe")
- FILE_HAS_EXECUTABLE_EXTENSION
- Evaluates to True or False. The file's extension is checked against the Executable Extensions list, and if found, the statement
evaluates to True, otherwise to False. Example: (FILE_HAS_EXECUTABLE_EXTENSION = True)
- FILE_HAS_EXECUTABLE_OR_SCRIPT_EXTENSION
- Evaluates to True or False. The file's extension is checked against the Executable Extensions list and the Script Extensions list,
and if found in either, the statement evaluates to True, otherwise to False. Example: (FILE_HAS_EXECUTABLE_OR_SCRIPT_EXTENSION = False)
- FILE_HAS_TEXT_EXTENSION
- Evaluates to True or False, based on whether the file's extension is found in the Text Extensions list. Example: (FILE_HAS_TEXT_EXTENSION = True)
- FILE_IS_COMMAND_HOST
- Evaluates to True or False, depending on whether the file name (excluding path) is found in the Command Hosts list. If CMD.EXE was in the
Command Hosts list, both C:\cmd.exe and C:\Windows\System\cmd.exe would evaluate to True. Example: (FILE_IS_COMMAND_HOST = False)
- FILE_IS_DLL
- Evaluates to True or False, depending on whether the file is an DLL file based on a check of the file header. This is slower, but more trustworthy than
the FILE_HAS_EXECUTABLE_EXTENSION check. Typically .DLL, .CPL, .OCX, etc files will meet the criteria. Example: (FILE_IS_DLL = True)
- FILE_IS_EXECUTABLE
- Evaluates to True or False, depending on whether the file is an executable file based on a check of the file header. This is slower, but more trustworthy than
the FILE_HAS_EXECUTABLE_EXTENSION check. Typically only .EXE files will meet the criteria. Example: (FILE_IS_EXECUTABLE = True)
- FILE_IS_SIGNED
- Evaluates to True or False. The file is checked for a digital signature, and if found, the result is True. Example: (FILE_IS_SIGNED = True)
- FILE_IS_TEXT_FILE
- Evaluates to True or False. The file is opened and inspected using heuristics to determine whether it appears to be a text file or not.
Example: (FILE_IS_TEXT_FILE = True)
- FILE_PATH
- Evaluates to string containing the full path of the file. Example: (FILE_PATH = "C:\Users\Bob\Documents\Bob's Updates.docx")
- FILE_PATH_IN_CLOUD_FOLDER
- Evaluates to True or False indicating if the file is located within a cloud product folder. OneDrive, Google Drive and DropBox are currently detected and supported. Example: (FILE_PATH_IN_CLOUD_FOLDER = True)
- FILE_PATH_IN_EXTERNAL_DRIVE
- Evaluates to True or False indicating if the file is located on an external drive, such as a USB thumb drive. Example: (FILE_PATH_IN_EXTERNAL_DRIVE = True)
For the FILE_RENAME_DEST_xxx statements below, IF the file operation is a Move/Rename, then these statements are filled in with the new filename. If the file operation is not a Move/Rename, then they will have the same value as the FILE_PATH_xxx statements above.
- FILE_RENAME_DEST_EXTENSION
- The extension of the file in FILE_RENAME_DEST_PATH.
Example: (FILE_RENAME_DEST_EXTENSION = ".docx")
- FILE_RENAME_DEST_PATH
- The destination name of a file Move/Rename operation.
Example: (FILE_RENAME_DEST_PATH = "D:\My-Backup-Files\Secret.docx")
- FILE_RENAME_DEST_PATH_IN_CLOUD_FOLDER
- Evaluates to True or False, and will be True if FILE_RENAME_DEST_PATH is within a cloud folder (OneDrive, Google Drive or DropBox).
Example: (FILE_SHA256 = "588A31053B19A3E8F5B4E7EF16AC9C45862EB097E9403739B59E0FD437D623EA")
- FILE_RENAME_DEST_PATH_IN_EXTERNAL_DRIVE
- Evaluates to True or False, and will be True if FILE_RENAME_DEST_PATH is on an external drive, such as a USB thumb drive.
Example: (FILE_SHA256 = "588A31053B19A3E8F5B4E7EF16AC9C45862EB097E9403739B59E0FD437D623EA")
- FILE_SHA256
- Evaluates to a string consisting of the SHA256 hash of the file. This requires opening and reading the entire file to compute the hash.
Example: (FILE_SHA256 = "588A31053B19A3E8F5B4E7EF16AC9C45862EB097E9403739B59E0FD437D623EA")
- FILE_SIGNED_BY
- Evaluates to a value extracted from the file's digital signature. If there is no digital signature the value will be an empty string.
Example: (FILE_SIGNED_BY = "Power Admin LLC") OR (FILE_SIGNED_BY = "")
- FILE_SIGNED_BY_TRUSTED
- Evaluates to True or False. The file's digital signature signer is extracted (see FILE_SIGNED_BY) and that value is searched for in the Trusted Publishers list.
If found, the statement evalutes to True. Example: (FILE_SIGNED_BY_TRUSTED = True)
- HOST_NAME
- Evaluates to a string containing the hostname where the rule is being run. Example: (HOSTNAME = "MSDC1")
- PROCESS_IS_COMMAND_HOST
- Evaluates to True or False. The current process name (without the path) that is reading the file being checked is compared to the Command Host list.
If it is found in the list, the statement evaluates to True. Example: (PROCESS_IS_COMMAND_HOST = True)
- PROCESS_IS_SIGNED
- Evaluates to True or False. Indicates whether the process's executable file contains a digital signature. Example: (PROCESS_IS_SIGNED = False)
- PROCESS_IS_TRUSTED_APP
- Evaluates to True or False. The process' path is compared against entries in the Trusted Applications list and evaluates to True if a match is found, and details about
the file (signer, date, size) also match what was added to the list.
Example: (PROCESS_IS_TRUSTED = True)
- PROCESS_PATH
- Evaluates to a string consisting of the process' executable file path, without any command line arguments. Example: (PROCESS_PATH = "C:\Windows\Notepad.exe")
- PROCESS_PATH_IN_CLOUD_FOLDER
- Evaluates to True or False, and is True if the process is running from within a cloud folder (OneDrive, Google Drive or DropBox). Example: (PROCESS_PATH_IN_CLOUD_FOLDER = false)
- PROCESS_SHA256
- Evaluates to a string containing the SHA256 hash of the process' executable file. This requires opening and reading the entire executable process file.
Example: (PROCESS_SHA256 = "A9E8AD0792B546A4A8CE49EDA82B327AD9581141312EFEC3AC6F2D3AD5A05F17")
- PROCESS_SIGNED_BY
- Evaluates to a string containing the process file's digital signature signer, or an empty string if there is no digital signature. Example:
(PROCESS_SIGNED_BY = "Microsoft Windows")
- PROCESS_SIGNED_BY_TRUSTED
- Evaluates to True or False. The process file's digital signature signer is extracted and then checked against the Trusted Publishers list. If found the
statement evaluates to True. Be cautious with this since most Command Host processes (like cmd.exe and powershell.exe) are signed by a trusted company.
Example: (PROCESS_SIGNED_BY_TRUSTED = True)
- USER_GROUPS
- Evalulates to a comma separated list of all the groups (local and Active Directory) that the user requesting the file read is a member of. Because some
group names might contain other group names ("Administrators" could be a substring of "Domain Administrators") it is best to do comparisons with a
comma at the start and end of the target group being checked for. Also, wildcards will be needed to ignore the rest of the string in a comparison. In this
example, the user is being checked to see if they are part of the local Administrators group:
(USER_GROUPS = "*,Administrators,*")
Comparing against
"*Administrators*" could match against Administrators, Domain Administrators, Print Administrators or even HRAdministrators.
- USER_IS_FULL_ACCESS
- This evaluates to True or False depending on if the user (USER_NAME value) is found in the Full Access Users list. Example: (USER_IS_FULL_ACCESS = True)
- USER_NAME
- Evaluates to a string of the logged in user, using domain\username format. Example: (USER_NAME = "OFFICE\Bob")
Learn about Trusted Application Rules next.