Define Activation Conditions for a Rule
Use the following workflow to create a new activation condition for a rule.
- Select SettingsConditions. The Conditions page displays the unique ID number, Name, Description, and Path (if applicable) for each condition.
- Add a new condition.
- Enter the Name and Description of the condition.
- Configure the type of condition to match the path of
a specific executable file, to match a specific version or range
of versions for a specific executable file, or to match a specific
The Version value must follow the standard Windows version convention and be no longer than four segments long (for example, 18.104.22.168). To match versions longer than four segments long, use Regex.
- To match a specific executable file (or to match a specific version of an executable file), specify the full Path of an executable file that exists on the endpoint. Optionally, you can use system variables in the path. For example, specify %windir%\system32\calc.exe to apply the rule if the calculator executable file is run from this location.
- If you specified an executable file in the Path field, you can also set a match condition for a Version or range of versions of that executable file. If you specify a Version value, Traps will only apply the rule if the executable is run from the location specified in the Path field and also matches the Version value. By default, the condition matches any version of the file. To narrow the number of versions, select one of the following Version Comparison options and then enter a Version number.
(Refer to Microsoft’s Regular Expression Language Quick Reference at https://msdn.microsoft.com/en-us/library/az24scfc(v=vs.100).aspx).For example, to match any version of 3.1.x including 3.1, use the following regular expression: 3\.1(\.[0-9]+)?To match only versions 3.1.0-3.1.9 use:3\.1\.[0-9]To match only version 3.2 and 3.4, use: 3\.
- Equal—Match an exact version.
- Greater—Match any version that is equal to or greater than the specified version.
- Lesser—Match any version that is equal to or lesser than the specified version.
- Between—Match any version inclusive of and between two values. For example, to set a condition that matches Internet Explorer versions between and including versions 8 and 9, enter C:\Program Files\Internet Explorer\iexplore.exe in the Path field, select Version Comparison: Between, and enter 8 and 9 in the Version fields.
- Regex—Match a version using .NET Framework 4 regular expressions.
You cannot specify CurrentUser registry paths because Traps runs as the local system.Traps will only apply the rule if the endpoint contains the specified path in its registry. You can also configure a specific registry Key or Data value (String and DWord only) as a match condition.For example, to apply a rule on endpoints that have IPv6 enabled, configure a condition that matches the following registry settings:
- Specify a full Registry Path for a registry entry, beginning with one of the following: LocalMachine, ClassesRoot, Users, PerformanceData, CurrentConfig, or DynData.
- Registry Path: LocalMachine\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\EnableICSIPv6
- Key: DisabledComponents
- Data: 0
- Save the condition.You can use the condition as a match criteria to either include or exclude endpoints from receiving a rule. See Include or Exclude Endpoints Using Conditions.
Conditions Rule activation conditions are conditions that the endpoint must fulfill to apply that rule on the endpoint. For each condition, you can specify either ...
Policy Enforcement Traps evaluates rules based on the type of policy associated with the rule. Exploit protection, malware protection, and restriction rules are evaluated only ...
Restriction Rules A restriction rule limits the surface of an attack by defining where and how your users can run executable files. The following table ...
Block Execution from Network Folders
Block Execution from Network Folders To prevent attack scenarios that are based on writing malicious executable files to remote folders, you can create a restriction ...
Block Execution from Local Folders
Block Execution from Local Folders Many attack scenarios are based on writing malicious executable files in common local folders, such as temp and download, and ...
Search Endpoints for a File, Folder, or Registry Key
Search Endpoints for a File, Folder, or Registry Key To perform a centralized search for a system file, folder, or registry key, use the Agent ...
Configure a WildFire Rule
Configure a WildFire Rule WildFire rules determine how Traps detects and responds to malware on your endpoints. You can create or edit WildFire rules on ...
Create an Exploit Protection Rule
Create an Exploit Protection Rule An exploit protection rule uses Exploit Protection Modules (EPMs) to protect processes in your organization from specific exploitation techniques. Create ...
Define Java Restrictions and Exemptions
Define Java Restrictions and Exemptions A common entry point for malicious code is through Java processes that are imported from a remote host and run ...