Application Definitions

Endpoint Privilege Management for Windows must match every enabled criteria in an application definition before it triggers a match (the rules are combined with a logical AND).

Application definitions that require a match can also be negated. To target applications that do not match the definition, select does NOT match from the dropdown.

ActiveX Codebase Matches

When inserting ActiveX controls, this is enabled by default and we recommend you use this option in most circumstances. You must enter the URL to the codebase for the ActiveX control. You can choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Although you can enter a relative codebase name, we strongly recommend you enter the full URL to the codebase, as it is more secure.

ActiveX Version Matches

If the ActiveX control you entered has a version property, then you can choose Check Min Version and/or Check Max Version and edit the respective version number fields.

App ID Matches

Use to match the App ID of the COM class, which is a GUID used by Windows to set properties for a CLSID. AppIds can be used by one or more CLSIDs.

The available operators are identical to those for the File or Folder Name definition.

Application Requires Elevation (UAC)

Use to check if an executable requires elevated rights to run and would cause UAC (User Account Control) to trigger. This is a useful way to replace inappropriate UAC prompts with Endpoint Privilege Management for Windows end user messages to either block or prompt the user for elevation.

This is supported on install only.

Uninstaller

This option allows you to match on any uninstaller type (MSI or EXE).

BeyondTrust Zone Identifier Exists

This option allows you to match on the BeyondTrust Zone Identifier tag, where present. If an Alternate Data Stream (ADS) tag is applied by the browser, we also apply a BeyondTrust Zone Identifier tag to the file. The BeyondTrust Zone Identifier tag can be used as matching criteria if required.

CLSID Matches

This option allows you to match the class ID of the ActiveX control or COM class, which is a unique GUID stored in the registry.

COM Display Name Matches

If the class you entered has a Display Name, then it is automatically extracted and you can choose to match on this property. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a regular expression. The available operators are identical to those for the File or Folder Name definition.

Command Line Matches

If the filename is not specific enough, you can match the command line, by checking this option and entering the command line to match. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a regular expression. The available operators are identical to those for the File or Folder Name definition.

PowerShell removes double quotes from command strings prior to transmitting to the target. Therefore, we do not recommend that Command Line definitions include double quotes, as they fail to match the command.

Controlling Process Matches

This option allows you to target content based on the process (application) that is used to open the content file. The application must be added to an Application Group. You can also define whether any parent of the application matches the definition.

Drive Matches

This option can be used to check the type of disk drive where the file is located. Choose from one of the following options:

  • Fixed disk: Any drive that is identified as being an internal hard disk.
  • Network: Any drive that is identified as a network share.
  • RAM disk: Any drive that is identified as a RAM drive.
  • Any Removable Drive or Media: If you want to target any removable drive or media, but are unsure of the specific drive type, choose this option, which matches any of the removable media types below. Alternatively, if you want to target a specific type, choose from one of the following removable media types:
    • Removable Media: Any drive that is identified as removable media.
    • USB: Any drive that is identified as a disk connected by USB.
    • CD/DVD: Any drive that is identified as a CD or DVD drive.
    • eSATA Drive: Any drive that is identified as a disk connected by eSATA.

File or Folder Name Matches

Applications are validated by matching the file or folder name. You can choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Although you can enter relative filenames, we strongly recommend you enter the full path to a file or the COM server. Environment variables are also supported.

We recommend that you do not use the definition File or Folder Name does NOT Match in isolation for executable types, as it results in matching every application, including hosted types, such as installer packages, scripts, batch files, registry files, management consoles, and Control Panel applets.

When creating blocking rules for applications or content, and the File or Folder Name is used as matching criteria against paths which exist on network shares, this should be done using the UNC network path and not by the mapped drive letter.

For more information, see Regular Expressions Syntax.

File Hash (SHA-1) Matches

If a reference file is entered, then a SHA-1 hash of the application is generated. This definition ensures the application remains unchanged, as changing a single character causes the SHA-1 hash to change.

File Hash (SHA-256) Matches

Set the SHA-256 file hash on an application. On the Windows operating system, you can select either match or does NOT match.

SHA-256 is supported for all applications that support SHA-1. However, we recommend using the newer and more secure SHA-256 hash rather than SHA-1.

File Version Matches

If the file, service executable, or COM server you enter has a File Version property, then it is automatically extracted and you can choose Check Min Version and/or Check Max Version, and edit the respective version number fields.

Parent Process Matches

This option can be used to check if an application’s parent process matches a specific Application Group. You must create an Application Group for this purpose or specify an existing Application Group in the Parent Process group. Setting Match All Parents in Tree to True traverses the complete parent/child hierarchy for the application, looking for any matching parent process, whereas setting this option to False checks only the application’s direct parent process.

Product Code Matches

If the file you entered has a Product Code, then it is automatically extracted and you can choose to check this code.

Product Description Matches

If the file you enter has a Product Description property, then it is automatically extracted, and you can choose to match on this property. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a regular expression. The available operators are identical to those for the File or Folder Name definition.

Product Name Matches

If the file, COM server, or service executable you enter has a Product Name property, then it is automatically extracted and you can choose to match on this property. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a regular expression. The available operators are identical to those for the File or Folder Name definition.

Product Version Matches

If the file, COM server, or service executable you entered has a Product Version property, then it is automatically extracted and you can choose Check Min Version and/or Check Max Version and edit the respective version number fields.

Publisher Matches

This option can be used to check for the existence of a valid publisher. If you browse for an application, then the certificate subject name is automatically retrieved, if the application is signed. For Windows system files, the Windows security catalog is searched, and if a match is found, the certificate for the security catalog is retrieved. If multiple certificates exist on a targeted filetypes, Endpoint Privilege Management for Windows will search through all certificates to look for a match. Publisher checks are supported on executables, Control Panel applets, installer packages, Windows scripts, and PowerShell scripts. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a regular expression. The available operators are identical to those for the File or Folder Name definition.

Starting in version 23.6, catalog subsystems for publisher matching has been implemented, which allows for scaling of policies to reference many hundreds of thousands of app definitions.

For more information, see Setting up and Using Additional Catalog Subsystems for Publisher Matching.

Service Actions Matches

This option allows you to define the actions which are allowed. Choose from:

  • Service Stop: Grants permission to stop the service.
  • Service Start: Grants permission to start the service.
  • Service Pause / Resume: Grants permission to pause and resume the service.
  • Service Configure: Grants permission to edit the properties of the service.

Service Display Name Matches

This option allows you to match the name of the Windows service, for example, W32Time. You may choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Service Name Matches

This option allows you to match the name of the Windows service, for example, W32Time. You may choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Source URL Matches

If an application was downloaded using a web browser, this option can be used to check where the application or installer was originally downloaded from. The application is tracked by Endpoint Privilege Management for Windows at the point it is downloaded, so that if a user decides to run the application or installer at a later date, the source URL can still be verified. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a regular expression. The available operators are identical to those for the File or Folder Name definition.

Trusted Ownership Matches

This option can be used to check if an application’s file is owned by a trusted owner (the trusted owner accounts are SYSTEM, Administrators, or Trusted Installer).

Upgrade Code Matches

If the file you enter has an Upgrade Code, then it is automatically extracted and you can choose to check this code.

Windows Store Application Version

This option allows you to match the version of the Windows Store application, for example, 16.4.4204.712. You can choose Check Min Version and/or Check Max Version and edit the respective version number fields.

Windows Store Package Name

This option allows you to match the name of the Windows Store Application, for example, microsoft.microsoftskydrive. You can choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Windows Store Publisher

This option allows you to match the publisher name of the Windows Store Application, for example, Microsoft Corporation. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a regular expression. The other available operators are:

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

The Browse File and Browse Apps options can only be used if configuring Endpoint Privilege Management for Windows settings from a Windows 8 client.

Advanced Options

Allow child processes will match this application definition

If this box is checked, then any child processes that are launched from this application (or its children) also match this rule. The rules are still processed in order, so it’s still possible for a child process to match a higher precedence rule (or Workstyle) first. Therefore, this option prevents a child process from matching a lower precedence rule. It should also be noted that if an application is launched by an On-Demand Rule and this option is selected, then its children are processed against the On-Demand Rules, and not the Application Rules. If this option is not selected, then the children are processed against the Application Rules in the normal way. You can further refine this option by restricting the child processes to a specific Application Group. The default is to match <Any Application>, which will match any child process.

If you want to exclude specific processes from matching this rule, then click …match… to toggle the rule to …does not match….

Child processes are evaluated in the context that the parent executed. For example, if the parent executed through on-demand shell elevation, then Endpoint Privilege Management for Windows first attempts to match On-Demand Application Rules for any children of the executed application.

Force standard user rights on File Open/Save common dialogs

If the application allows a user to open or save files using the common Windows Open or Save dialog box, then selecting this option ensures the user does not have admin privileges within these dialog boxes. These dialog boxes have Explorer-like features, and allow a user to rename, delete, or overwrite files. If an application is running with elevated rights and this option is disabled, the Open/Save dialog boxes allow a user to replace protected system files.

Where present, this option is selected by default to ensure Endpoint Privilege Management for Windows forces these dialog boxes to run with the user’s standard rights, to prevent the user from tampering with protected system files.

When enabled, this option also prevents processes launched from within these dialog boxes from inheriting the rights of an elevated application.

Environment Variables

Endpoint Privilege Management for Windows supports the use of the following environment variables in file path and command line application definitions:

System Variables
  • %ALLUSERSPROFILE%
  • %COMMONPROGRAMFILES(x86)%
  • %COMMONPROGRAMFILES%
  • %PROGRAMDATA%
  • %PROGRAMFILES(x86)%
  • %PROGRAMFILES%
  • %SYSTEMROOT%
  • %SYSTEMDRIVE%
User Variables
  • %APPDATA%
  • %USERPROFILE%
  • %HOMEPATH%
  • %HOMESHARE%
  • %LOCALAPPDATA%
  • %LOGONSERVER%

To use any of the environment variables above, enter the variable, including the % characters, into a file path or command line. Endpoint Privilege Management for Windows expands the environment variable prior to attempting a file path or command line match.