Granular Child Process Evaluation

1. Configure a new malware protection rule.
   When you configure the rule behavior, determine how you want Traps to evaluate child processes initiated by the parent process:

   • Child Process List—To allow or block child processes without evaluating command-line arguments, add one or more processes to the Child Process List (one per line). Traps whitelists or blacklists these processes according to the Behavior you selected in the previous step. If you select Restricted Process behavior, Traps adds any child processes you specify to the blacklist which is defined in the content update of your security policy.
     To block or allow a source process to run all child processes, select Single Process, and leave both fields blank.
   • Single Process—To evaluate the command-line parameters of a single child process, enter the child process path (full or partial) and the parameters. If you specify only the process name, Traps evaluates the process run from any path. For example, if you specify cscript.exe with the parameter C:\myorg\myorgscript.bat and a Behavior of Restricted Processes, the parent process (which you define on the Processes tab) will not be allowed to run the child process (in this example, cscript.exe) with the defined parameter. When you have multiple rules for the same parent and child process, Traps merges the command-line parameters for all user and default policy rules.

   These options also support the same environment variables and wildcards that you can use in restriction rules. For example, to configure a rule for iexplorer.exe which blocks that process from launching SCR files from the temp folder, you can use environment variables and wildcards to specify %temp%\*.scr. For more information about using environment variables and wildcards, see Wildcards and Environment Variables in Policy Rules.
2. Save the malware protection rule.