Javascript must be enabled to download our products and perform other essential functions on the website.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f

This help page is for version 9.2. The latest available help is for version 9.4.

Trusted Lists

To make admininstration of the Trusted Application Rules easier, attributes of files and the processes accessing them can be compared against lists of trusted values, rather than needing to specify each situation explicitly. Many of the built-in Statements refer to these lists implicitly. See below to learn about each list.

ionicons-v5-h

Your own rules can refer to these lists using the IN operator.
Example:
(FILE_PATH IN Admin_Only_Apps)

Admin_Only_Apps
This is a list of applications that are typically only used by administrators. They are also often used by hackers to do reconnaissance once they have a foot hold in a network. It is uncommon for end users to use these applications, so seeing them run on an Endpoint could be cause for suspicion. If an admin is doing some work on an end-user's computer and needs to use these applications, they could use temporarily disable Trusted Application Checking on that particular Endpoint using the Endpoint Operations node in the Console.
Command_Hosts
Applications in this list need to be checked more carefully because they can generally be scripted, and some scripts might cause problems. Files being accessed by applications in this list should be checked more thoroughly, such as making sure (script) files can only be read from protected/trusted locations. This list is used by the FILE_IS_COMMAND_HOST and PROCESS_IS_COMMAND_HOST statements. It is recommended to NOT add files in this list to the Trusted Applications list, otherwise they will run with fewer checks.
Custom Lists
These lists are to make your rules simpler. For example, instead of a rule referring to 3 or 4 usernames, you can put those usernames in a custom list, and then have the rule check to see if the USER_NAME variable is IN the list. This could also be used for hostnames, file paths, etc. The Custom Lists can be renamed to make them easier to understand when looking at them in a rule. So for example CUSTOM_LIST2 might be renamed to EXECUTIVE_USERS for example, or CUSTOM_LIST3 might be SQL_SERVERS.

The following characters cannot be used in a Custom List name: (space) (tab) (new line) , = ! < > ( ) " \

Example: (USER_NAME IN CUSTOM_LIST2)
Example: (HOST_NAME IN SQL_SERVERS)
Executable_Extensions
This is a simple list of file extensions that can be used with the FILE_HAS_EXECUTABLE_EXTENSION or FILE_HAS_EXECUTABLE_OR_SCRIPT_EXTENSION statements.
ionicons-v5-h

Trusting file extensions can be a shortcut but it may not be safe. It is important to realize many files can use the wrong extension but still retain their full functionality.

Full_Access_Users
This list is for user accounts that should not be blocked. Typically it would be for operating system accounts such as NT AUTHORITY\SYSTEM. This list is used by the statement USER_IS_FULL_ACCESS.
Script_Extensions
This is a simple list of file extensions that are often seen with script files. This list is used with the FILE_HAS_EXECUTABLE_OR_SCRIPT_EXTENSION statement.
Security_Applications
Processes in this list are considered completely safe and they won't be monitored at all. This means these applications can't be misused to cause problems. Typically anti-virus and other security applications such as Windows Defender would be in this list. Backup programs could also be added to this list if they can't be used in a destructive manner (no destructive command line or scripting options).
Text_Extensions
This is a list of file extensions that are usually text files. This list is use with the FILE_HAS_TEXT_EXTENSION statement.
Trusted_Applications
This set of processes are considered safe. They will be reflected in the PROCESS_IS_TRUSTED statement. If a process in this list changes (size, digital signature, etc) it will need to be added to the list again. It is recommended to NOT add Command Host files to this list since they may not be safe depending on what script they are given.
Trusted_Publishers
This is a list of digital signers of executable programs, DLLs, OCXs, drivers, etc. Applications and even files can be checked to see if they are signed by a known application publisher. If a file or process is not digitally signed, it should be checked more thoroughly. This list of Trusted Publishers can be built up by requesting monitored servers and optionally client endpoints to scan all currently installed executable files and add digitally signers to the Trusted Publishers list. This list is used by the FILE_SIGNED_BY_TRUSTED and PROCESS_SIGNED_BY_TRUSTED statements.

Read about Statements next.

PA File Sight

Help Map