> ## Documentation Index
> Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Allowlisting overview

> Control what is allowed to run on Windows and macOS, block malware.

## Allowlisting demo

<Columns cols={2}>
  <Card title="Allowlisting for Windows" icon="video" href="https://www.youtube.com/watch?v=GY2m-_UfRvc">
    Youtube video for Windows allowlisting
  </Card>

  <Card title="Allowlisting for macOS" icon="video" href="https://www.youtube.com/watch?v=NnLWutlddJc">
    Youtube video for macOS allowlisting
  </Card>
</Columns>

## What is allowlisting?

<Check>
  Allowlisting (formerly known as whitelisting) is a proactive cybersecurity practice that permits only explicitly pre-approved applications on your workstations. Operating on a `deny-by-default` principle, it blocks everything not on the approved list, significantly reducing risks from unknown malware, ransomware, and unauthorized access. 
</Check>

Instead of blocking everything that is bad in your environment, you explicitly allow what applications need to run on user workstations. In simple terms, you only allow applications that you trust, and block everything else, including malware and ransomware. When idemeum agent is installed, it intercepts every process execution event and applies `Default deny` policy - if application is not explicitly trusted, it is not allowed.

Allowlisting does not follow the same philosophy of classic block listing approach:

| Security                                                             | How it works                                                                                                                        |
| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| <Badge color="blue" icon="filter-circle-xmark">Block-listing</Badge> | Default allow policy with certain apps blocked. Cat and mouse game, you have to constantly track what is bad and update your rules. |
| <Badge color="purple" icon="shield-check">Allowlisting</Badge>       | Default deny policy with certain apps allowed. You only allow what you need and do not worry about malicious applications.          |

## Allowlisting primary features

<AccordionGroup>
  <Accordion title="OS binary trust" icon="binary">
    Idemeum automatically trusts Microsoft Windows files that are marked as `OSBinary`. These files are critical for OS operation, and idemeum is not interrupting any critical system flows. As a result you can update and user Windows OS normally.
  </Accordion>

  <Accordion title="Granular rule engine" icon="pen-ruler">
    Idemeum offers a granular rule engine to define what applications are allowed in your environment. Not only can you define what is allowed to `run` (leveraging file attributes, publisher certificate thumbprints, or certificate elements), but you can also define if the application is allowed to `elevate` automatically or not.
  </Accordion>

  <Accordion title="Application fencing" icon="fence">
    When you allow an application, you can also define what that application is allowed to do. If you trust an application from a verified publisher, there is no need to track every single thing this application is doing and launching. Idemeum will do that for you by constructing and tracking the process chain. If you prefer, you can specify specific executables that your trusted application is allowed to run.
  </Accordion>

  <Accordion title="Application catalog" icon="square-list">
    Idemeum offers a pre-configured rules catalog to cover most commonly used Windows and macOS applications. With a click of a button you can allow an application in your environment.
  </Accordion>

  <Accordion title="App store control" icon="store">
    Not only can you control executables directly installed on your workstations, but also control what applications can be delivered from Windows and Apple stores.
  </Accordion>
</AccordionGroup>