Granular Child Process Evaluation

Operating system support
: Windows only
The ESM Console now provides more granular settings to determine which processes are permitted to run child processes on your endpoints. When you configure the child process malware protection module, you can now allow specific parent processes to launch child processes and optionally configure execution criteria. This can be helpful if your organization uses applications in a way where Traps could identify them as malicious. For example, if you need to run script engines from an intranet website running Internet Explorer, you can whitelist the specific use while still protecting Internet Explorer from malicious script engines.
  1. When you configure the rule behavior, determine how you want Traps to evaluate child processes initiated by the parent process:
    • Child Process List
      —To allow or block child processes without evaluating command-line arguments, add one or more processes to the
      Child Process List
      (one per line). Traps whitelists or blacklists these processes according to the
      Behavior
      you selected in the previous step. If you select
      Restricted Process
      behavior, Traps adds any child processes you specify to the blacklist which is defined in the content update of your security policy.
      To block or allow a source process to run all child processes, select
      Single Process
      , and leave both fields blank.
    • Single Process
      —To evaluate the command-line parameters of a single child process, enter the child process path (full or partial) and the parameters. If you specify only the process name, Traps evaluates the process run from any path. For example, if you specify
      cscript.exe
      with the parameter
      C:\myorg\myorgscript.bat
      and a
      Behavior
      of
      Restricted Processes
      , the parent process (which you define on the
      Processes
      tab) will not be allowed to run the child process (in this example,
      cscript.exe
      ) with the defined parameter. When you have multiple rules for the same parent and child process, Traps merges the command-line parameters for all user and default policy rules.
    These options also support the same environment variables and wildcards that you can use in restriction rules. For example, to configure a rule for iexplorer.exe which blocks that process from launching SCR files from the temp folder, you can use environment variables and wildcards to specify
    %temp%\*.scr
    . For more information about using environment variables and wildcards, see Wildcards and Environment Variables in Policy Rules.
  2. Save the malware protection rule.

Recommended For You