Skip to main content

📁 Allowlisting

Overview (AL)

Allow only software that you need – block malware, ransomware, and other untrusted applications.

Overview

Instead of blocking everything that is bad in your environment, you explicitly allow what applications need to run on user workstations. In simple terms, you only allow applications that you trust, and block everything else, including malware and ransomware. When idemeum agent is installed, it intercepts every process execution event and applies Default deny policy - if application is not explicitly trusted, it is not allowed.

Allowlisting does not follow the same philosophy of classic blocklisting approach:

  • Blocklisting → default allow policy with certain apps blocked. Cat and mouse game, you have to constantly track what is bad and update your rules.
  • Allowlisting → default deny policy with certain apps allowed. You only allow what you need and do not worry about malicious applications.

Supported platforms

  • Windows 10, 11

Features

  • OSBinary trust - idemeum automatically trusts Microsoft Windows files that are marked as OSBinary. These files are critical for OS operation, and idemeum is not interrupting any critical system flows. As a result you can update and user Windows OS normally.
  • Critical binaries control - some Windows executables, while legitimately signed and represent core OS functions, can be abused by ransomware and living-off-the-land malware. As a result, idemeum automatically excludes these binaries from implicit trust, giving you total control of what is allowed. We rely on guidance from Microsoft and LOLBAS project to enumerate critical executables.
  • Child execution control - if you trust an application from verified publisher, there is not need to track every single thing this application is doing and launching. Idemeum will do that for you by constructing and tracking the process chain.
  • Application catalog - idemeum offers a pre-configured rules catalog to cover most commonly used Windows applications. With a click of a button you can allow an application in your environment.
  • Granular rule engine - idemeum offers a granular rule engine to define what applications are allowed in your environment. Not only can you define what is allowed to run (leveraging file attributes, publisher certificate thumbprints, or certificate elements), but you can also define if the application is allowed to elevate automatically or not.
  • Microsoft store control - not only can you control executables directly installed on your workstations, but also control what applications can be delivered from Windows Store.