Allowlisting rules

Overview

The easiest way to think about the rules:

1. Is the application allowed to execute?
   1. You can match the target application using
      1. File attributes - file hash, file name, or file path
      2. Publisher certificate thumbprint
      3. Certificate elements - CN, O, OU, C etc.
   2. If you trust the application, you can allow execution of child processes by this application
2. If allowed to execute, can application elevate?
   1. You can block elevation, automatically elevate application, or allow users to request elevation

Example rule for Slack - this is a local rule and will only be applied to the current organization, we match the application using the publisher certificate, allow application execution along with child processes, and allow the application to automatically elevate as admin.

Example rule for AnyDesk - this is a local rule that will only apply to a certain customer, it matches the application that is legitimately signed by AnyDesk Software GmbH, we allow execution, and offer users the option to request elevation.

Catalog rules

Idemeum comes pre-configured with allowlisting and elevation rules for most common applications. We constantly update applications to make sure the rules are current and do not create any disruptions. With a click of a button you can allow most used applications in your environment.

• Navigate to the admin portal of your organization / customer
• Access Events → Rules → Add rule → Catalog rule

• Choose the rules that you want by selecting the applications

• Save the configuration and the rules will be automatically added

Manual rules

Create from event

If you want to create your own custom rules or allow applications that are not listed in idemeum catalog, you can simply do that from the event. Launch the application you want to allowlist (or trigger elevated launch), the event will be generated and sent to the cloud. Now you can create rule from the event.

• Navigate to the admin portal of your organization / customer
• Access Events section
• Search for the application / event that you want to create a rule for
• Click on ... and choose to create a global or a local rule

• All metadata for the event will be pre-populated and you can choose how you would like to match the application and what execution policy to apply.

• Save the rule

Create manually

If you want to create a rule completely from scratch, you can do that by creating rule manually and filling out the metadata yourself.

• Navigate to the admin portal of your organization / customer
• Access Events → Rules and then click on Add rule → Manual rule
• You can now fill out the rule information manually

Regular expressions (regex)

Idemeum rule engine supports regular expressions when matching the applications using various attributes. We support regex for file name, file path, and certificate elements. We use case-insensitive match. Here are some examples:

FILE NAME

^msedge.exe$ - match the exact file name for edge browser
.*video.* - match any filename that contains video

FILE PATH

C:\Program Files\WindowsApps\.*linkedin.* - match the path that starts with C:\Program Files\WindowsApps\ and then contains linkedin in the path

CERTIFICATE ELEMENTS

Microsoft.* - use this in O for certificate element to match anything that is signed by organization that contains Microsoft