You can add your own exclusion rules as follows:
-
- Select Add exclusion.
- Enter a name for the rule.
- From the Event drop-down menu, select the event that triggers the rule.
The following table lists the available event types and when they are triggered.
Event | Description |
---|---|
Application start | Triggers when an executable file or script is launched. |
Module load | Triggers when a DLL is about to get loaded into a process. |
Installer start | Triggers when msiexec.exe is launched with some MSI package as a command line parameter. |
Application start and Module load | A combination of the two event types. Triggers when an executable file or script is launched and a DLL is about to get loaded into a process. |
- From the Action drop-down menu, select Allow, Block, or Allow and monitor.
- Enter a description for the rule.
- Do the following to add one or more conditions that activate the new exclusion rule:
- Select Add condition.
- From the attribute drop-down menu, select an attribute.
- From the condition drop-down menu, select a condition for the attribute.
- Enter a value for the condition.
Using attributes and conditions in rules
The following table explains the attributes that you can select to match the condition values.
Selected attribute | Description |
---|---|
Target | Values of the actual application. For example, Target file name is the actual file that you want to block. |
Parent | Values of the process that launches the application. For example, Parent file name is the file that launches the application that you want to block. |
Installer | Values of the installers (MSI installer packages). |
Note: For example, if you want to block Internet Explorer, iexplore.exe is the target and explorer.exe (Windows Explorer) is the parent.
The following table explains how different conditions work with the values that you enter.
Selected condition | Description |
---|---|
is equal to | The value must be exactly the same as the selected attribute, for example, iexplore.exe. |
is not equal to | The value may be anything except the selected attribute. |
is less than | The numeric value may be anything less than the selected attribute. |
is greater than | The numeric value may be anything greater than the selected attribute. |
is less or equal to | The numeric value may be anything less than or exactly the same as the selected attribute. |
is greater or equal to | The numeric value may be anything greater than or exactly the same as the selected attribute. |
contains | The selected attribute must contain the value, for example, explore. |
starts with | The selected attribute must start with the value, for example, ie. |
ends with | The selected attribute must end with the value, for example, explore.exe. |
Note also the following when adding conditions to an exclusion rule:
- If you use attribute Target SHA1 or Parent SHA1 in the exclusion rule condition, you have to use Application start as the event type.
- If a dynamic link library (.dll) is blocked and you want it to be whitelisted by Application Control, you have to use the Module load event type in the exclusion rule. In a case like this, you cannot therefore use attribute Target SHA1 nor Parent SHA1 in the exclusion rule.
- Attributes Target file names mismatch and Parent file names mismatch kick in when the binary filename is different from the “Original filename” found under file Properties > Details.