Creating application identifiers

Application identifiers, or application IDs, help to define which audit and protection rules apply to which applications, i.e.:

  • Applications to protect or to exclude from a protection,
  • Applications likely to interact with a protected application, for both legitimate or illegitimate purposes.

Since IDs are specific to each rule set, you must create IDs in each set. You can however export all the IDs of a rule set to import and use them in another set. For more information, refer to the section Importing and exporting identifiers.

EXAMPLE
If you want to prevent all applications from logging keystrokes on your web browser, except the virtualization tool, which has a legitimate need to log keystrokes. In this case, you need to create an application ID for the application you want to protect (web browser), and an ID for the legitimate keylogging application (virtualization tool).

Application IDs are necessary when you create rule sets, and must be created beforehand.

  1. Select a policy in Security > Policies, then select a set of rules.
  2. Click on the Identifiers tab at the top right, then on the Application IDs tab.
  3. Click on Edit in the upper banner, then on Add an ID.
    A blank ID appears below the existing IDs.
  4. Click on Edit at the bottom right.
  5. In the field New application ID, enter an ID name, then a description if needed.
  6. Click on + Icon and select all the identifier criteria you wish to use. E.g. Path and Certificate.
  7. Click outside the criteria window and define each ID criterion selected:

     

    Specifying more criteria will more accurately identify the application because all criteria must match.

    EXAMPLE
    By specifying the application PowerShell.exe signed by Microsoft, launched by the scheduled task schtasks.exe, running from the local disk via the account NT_AUTHORITY\System, all five criteria must match for the application to be identified.

       
  1. Click on Add an entry if you want to add another list of criteria for the same ID. Having several entries makes it possible to group various resources under the same ID, if the same security rules use them. For example, you can group various browsers together, or group various dangerous applications to set up a blacklist.
  2. Enable the option Include child applications of the applications identified below so that when a rule is applied to an ID, it will also apply to all of its child applications. This option helps to identify installation programs that are extracted into a temporary folder and run executable files that have random names. By declaring the installation program a legitimate program, all the temporary files that it creates and launches will also be considered legitimate.
  3. Click on OK.
  4. If you have finished creating application identifiers, click on Save in the upper banner.
  5. To show the contents of an application identifier without editing it, click on View.

TIP
Application identifiers can also be created directly from a rule. In a rule, click on Plus button, then on Create a new identifier.
Likewise, from a rule, you can click on a selected identifier to modify it. Changes will also apply to the identifier in the Identifiers tab.