Define Activation Conditions for a Rule on Windows Endpoints
Use the following workflow to create a new activation condition for a rule on Windows endpoints.
- Select SettingsConditionsWindows. The Conditions page displays the Name, Description, and Path (if applicable) for each condition.
- Click the action menu and then Add a new condition.
- Enter a Name and Description to identify the condition.
- Select the type of condition, either Path to
match on the path of a specific executable file and optionally on
a specific version or range of versions for the executable file,
or Registry to match a specific registry key:
- To match a specific executable file (or to match a specific version of an executable file), specify the full Path of an executable file that exists on the endpoint. Optionally, you can use system variables in the path. For example, specify %windir%\system32\calc.exe to apply the rule if the calculator executable file is run from this location.
- If you specified an executable file in the Path field, you can also set a match condition for a file Version (as displayed in the file properties) or range of versions of that executable file. If you specify a Version value, Traps will only apply the rule if the executable is run from the location specified in the Path field and also matches the Version value. By default, the condition matches any version of the file. To narrow the number of versions, select one of the following Version Comparison options and then enter a Version number.When you configure a condition to match a Version, Traps evaluates the version value stored in the file properties. Because this number may be different than the published version number, we recommend that you verify the version number in the file properties before creating your condition.The Version must follow the standard Windows version convention and be no longer than four segments long (for example, 18.104.22.168). To match versions longer than four segments long, use Regex.
- Equal—Match an exact version.
- Greater—Match any version that is equal to or greater than the specified version.
- Lesser—Match any version that is equal to or lesser than the specified version.
- Between—Match any version inclusive of and between two values. For example, to set a condition that matches Internet Explorer versions between and including versions 8 and 9, enter C:\Program Files\Internet Explorer\iexplore.exe in the Path field, select Version Comparison: Between, and enter 8 and 9 in the Version fields.
- Regex—Match a version using .NET Framework 4 regular expressions.(Refer to Microsoft’s Regular Expression Language Quick Reference at https://msdn.microsoft.com/en-us/library/az24scfc(v=vs.100).aspx).For example, to match any version of 3.1.x including 3.1, use the following regular expression: 3\.1(\.[0-9]+)?To match only versions 3.1.0-3.1.9 use:3\.1\.[0-9]To match only version 3.2 and 3.4, use: 3\.
- Specify a full Registry Path for a registry entry, beginning with one of the following: LocalMachine, ClassesRoot, Users, PerformanceData, CurrentConfig, or DynData.You cannot specify CurrentUser registry paths because Traps runs as the local system.Traps will only apply the rule if the endpoint contains the specified path in its registry. You can also configure a specific registry Key or Data value (String and DWord only) as a match condition.For example, to apply a rule on endpoints that have IPv6 enabled, configure a condition that matches the following registry settings:
- Registry Path: LocalMachine\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\EnableICSIPv6
- Key: DisabledComponents
- Data: 0
- Save the condition.You can use the condition as a match criteria to either include or exclude endpoints from receiving a rule. See Include or Exclude Endpoints Using Conditions.
Conditions A condition is an identifying characteristic on the endpoint which you can define to apply or exclude a rule on an endpoint. For Windows ...
Block Execution from Local Folders
Block Execution from Local and Network Folders Many attack scenarios are based on writing malicious executable files in remote folders and common local folders—such as ...
Whitelist a Network Folder
Whitelist a Network Folder To prevent attack scenarios that are based on writing malicious executable files to remote folders, you can create a restriction rule ...
Search Endpoints for a File, Folder, or Registry Key
Search Endpoints for a File, Folder, or Registry Key To perform a centralized search for a system file, folder, or registry key on a Windows ...
Define Activation Condition for a Rule on Mac Endpoints
Define Activation Conditions for a Rule on Mac Endpoints For each condition, you can specify either an bundle directory path or a bundle ID that ...
Issues Addressed in Traps Endpoint Security Manager 4.1.2
Issues Addressed in Traps Endpoint Security Manager 4.1.2 The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.1.2 release. ...
Policy Enforcement When you configure security policy rules, Traps merges all configured rules into an effective policy that is evaluated for each endpoint. To determine ...
Add a New Restriction Rule
Add a New Restriction Rule Create a new restriction rule to define limitations on where and how executable files run on endpoints. Configure a new ...
Configure a WildFire Rule
Configure a WildFire Rule WildFire rules determine how Traps detects and responds to malware on your endpoints. You can create or edit WildFire rules on ...