Granular Child Process Evaluation

Operating system support: Windows only
The ESM Console now provides more granular settings to determine which processes are permitted to run child processes on your endpoints. When you configure the child process malware protection module, you can now allow specific parent processes to launch child processes and optionally configure execution criteria. This can be helpful if your organization uses applications in a way where Traps could identify them as malicious. For example, if you need to run script engines from an intranet website running Internet Explorer, you can whitelist the specific use while still protecting Internet Explorer from malicious script engines.
  1. Configure a new malware protection rule.
    When you configure the rule behavior, determine how you want Traps to evaluate child processes initiated by the parent process:
    • Child Process List—To allow or block child processes without evaluating command-line arguments, add one or more processes to the Child Process List (one per line). Traps whitelists or blacklists these processes according to the Behavior you selected in the previous step. If you select Restricted Process behavior, Traps adds any child processes you specify to the blacklist which is defined in the content update of your security policy.
      To block or allow a source process to run all child processes, select Single Process, and leave both fields blank.
    • Single Process—To evaluate the command-line parameters of a single child process, enter the child process path (full or partial) and the parameters. If you specify only the process name, Traps evaluates the process run from any path. For example, if you specify cscript.exe with the parameter C:\myorg\myorgscript.bat and a Behavior of Restricted Processes, the parent process (which you define on the Processes tab) will not be allowed to run the child process (in this example, cscript.exe) with the defined parameter. When you have multiple rules for the same parent and child process, Traps merges the command-line parameters for all user and default policy rules.
    These options also support the same environment variables and wildcards that you can use in restriction rules. For example, to configure a rule for iexplorer.exe which blocks that process from launching SCR files from the temp folder, you can use environment variables and wildcards to specify %temp%\*.scr. For more information about using environment variables and wildcards, see Wildcards and Environment Variables in Policy Rules.
  2. Save the malware protection rule.

Related Documentation