Rules
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Rules

      How to Create and Apply a Hash Rule

      The ZeroLock® Management Console (ZMC) provides two (2) methods with which to create Hash rules and apply them in policies.

        One of the most challenging tasks in system administration is restricting the usage of specific applications. Using the ZMC, hash rules may be created through Alerts or Policy Rules. Either method lets you allow or block applications or executables and then apply the restrictions to endpoints.

        Hash Rule Creation via Alerts

        1. On the ZeroLock Management Console (ZMC), go to Alerts and select an alert you want to create a hash rule for.
          Step_1_Select Alert_v4.2.0

        2. Double-click the selected alert to open the Alert Detail screen, then select Processes.  The Tree view is the default.
          Step_2_Tree_Alert Processes View_v4.2.0

        3. From this point, there are two (2) ways to add a new hash rule.
          • TREE View - In this view (see above), click on a red process box, which brings up the following screen.  
            Step_3c_Tree View_2nd_Process Screen_v4.2.0

            Clicking the BLOCK button brings up the CREATE RULE screen.
            Step_3d_Final BLOCK Create Rule screen_v4.2.0

            Selecting CREATE RULE at the bottom of the screen adds the rule to all existing policies and returns you to the PROCESS INFORMATION screen above. Click CLOSE to return to the individual alert screen in Step 2.

          • LIST View -  This method accomplishes the same as the Tree view, displaying similar information. Select the List View under the PROCESSES tab, then select BLOCK to create a Hash rule for that process. 
            Image_1_List View_Process Info List_v4.2.0

            Clicking the BLOCK button opens the same CREATE RULE screen as under Tree View, showing it has been created.

            Image_2_Final Create BLOCK Rule screen_v4.2.0Selecting the CREATE RULE button creates the rule and returns you to the individual alert page.
             Step_5_List View_v4.2.0

        4.    Another way to verify a rule creation is to go to Control Policies | Policies and click the Default Policy. The rule you created is in the Details section under HASH Rules.
        Step_5_Policy Details

        You have successfully created a Hash rule via the Alerts method.


        Hash Rule Creation via Policy Rules


        1. To create a Hash rule, first navigate to the Control Policies | Rules page. 
          Step_1_Policy Rules Main Page_v4.2.0

        2. On the Rules page, click the Actions drop-down menu and select Add New Rule.
          Step_2_Add New Rule_V4.2.0

        3. On the New Policy Rule pop-up, the Rule Type defaults to SSH-MFA rules. Select HASH from the drop-down menu.
          Step_3_Rule Type_HASH_v4.2.0
            
        4. Using the variety of features offered for this Rule Type, create a rule that fits the exact File access control action you want ZeroLock Hash to monitor.

          Step_4_Rule Type Fields_v4.2.0_KB
          Step_4_Note-Jul-02-2025-08-42-10-0611-PM
          Each field of the Hash Rule screen is described below:

          Name 1 The name of the rule as it will appear on your Rules page, as well as when adding to a policy. 
          Description 2 The description of the rule, as it will appear on your Rules page as well as when adding to a policy, is useful for explaining the purpose of the rule.
          Rule Type 3 Selecting what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation. Once the rule is created, this field cannot be edited.
          SHA-256 Hash 4 Place only the exact SHA-256 hash in this field that the rule will either block or allow.
          Action 5 Designate whether to block or allow the specified hash.


        5. Once the Hash Rule is properly configured, click the Create button at the bottom of the New Policy Rule pop-up menu.

        Step_5_New Policy Rule Completed_v4.2.0

        Applying the Hash Rule to a Policy

        1. Before implementing a rule on an endpoint, it must first be applied to a policy. Navigate to the Control Policies | Policies page.  Then select the Add New Policy button.
          Step_1_Add New Policy_v4.2.0_KB-1

        2. On the New Policy pop-up menu, give your new policy a name and description. There is one default SSH-MFA rule in place for any new policy, which creates an alert when an SSH connection is established. Other than an alert, no action is taken by this rule. This rule can be left in place or deleted from the new policy based on your preferred configuration.

          To add the new Hash rule, click the Add Rules button.
          Step_2_New Policy Add Rules_v4.2.0

        3. On the Policy Rules menu, select any rules you want to add to the new policy. When all are selected, hit the Add Selected button at the bottom.
          Step_3_Add Selected_v4.2.0
           
        4. When all preferred rules have been added to the policy, you can configure the order lockdown rules are evaluated. Lockdown rules (File Access, Network Access, and Program Execution rules) are evaluated top-to-bottom, with rules at the top resolving actions before moving to rules down the chain.

          Like a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and stop evaluating any rules below it. If it does not match, it will pass to the next rule in line until a match. If no rules match, then the action is allowed.
          Step_4_Create_v4.2.0

          Step_4_Note-Jul-02-2025-09-01-57-2544-PM

        5. The newly created Hash policy will appear on the Policies page.
          Step_5_New Policy Listed_v4.2.0
        6. To apply a policy to an endpoint, the policy must first be applied to an Endpoint Profile. Navigate to the Manage Endpoints | Endpoint Profiles. Once there, select Add New Profile.
          Step_6_Endpoint Profiles_Add New Profile_v4.2.0


        7. On the New Configuration Profile pop-up menu, you can configure exactly what actions ZeroLock will take for each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, and Tampering protection, as well as settings for all Hash Rules set to deny based on a SHA-256 hash.

          Enter a name and description, navigate to the Default Control Policy, and, from the drop-down menu, select the preferred policy. Only one policy may be applied to a Configuration Profile at a time. When finished, select the Create button at the bottom of the menu.


          Step_7_New Config Profile_v4.2.0

        8. Once a Configuration Profile has been created, it must be applied to an endpoint so the settings can take effect. Navigate to the Endpoints page.
          Step_8_Endpoints Page_v4.2.0
           
        9. On the Endpoints page, select the endpoint, or multiple endpoints, to apply the new configuration profile to. Then, click the Actions drop-down menu and select Set Endpoint Config.
          Step_9_Set Endpint Profile_v4.2.0

        10. On the Set Endpoint Configs pop-up menu, select the created configuration profile from the drop-down menu, then select the Set Configs button.Step_10_Set Endpoint Profile_v4.2.0

        11. On the Endpoints page, you can see that the profile has been applied to an endpoint.Step_11_New Profile in Place_v4.2.0_KB


          You have successfully created and applied a Hash rule to an endpoint.