The ZeroLock® Management Console (ZMC) provides two (2) methods with which to create Hash rules and apply them in policies.
One of the most challenging tasks in system administration is restricting the usage of specific applications. Using the ZMC, hash rules may be created through Alerts or Policy Rules. Either method lets you allow or block applications or executables and then apply the restrictions to endpoints.
Hash Rule Creation via Alerts
- On the ZeroLock Management Console (ZMC), go to Alerts and select an alert you want to create a hash rule for.
- Double-click the selected alert to open the Alert Detail screen, then select Processes. The Tree view is the default.
- From this point, there are two (2) ways to add a new hash rule.
- TREE View - In this view (see above), click on a red process box, which brings up the following screen.
Clicking the BLOCK button brings up the CREATE RULE screen.
Selecting CREATE RULE at the bottom of the screen adds the rule to all existing policies and returns you to the PROCESS INFORMATION screen above. Click CLOSE to return to the individual alert screen in Step 2.
- LIST View - This method accomplishes the same as the Tree view, displaying similar information. Select the List View under the PROCESSES tab, then select BLOCK to create a Hash rule for that process.
Clicking the BLOCK button opens the same CREATE RULE screen as under Tree View, showing it has been created.
Selecting the CREATE RULE button creates the rule and returns you to the individual alert page.
- TREE View - In this view (see above), click on a red process box, which brings up the following screen.

You have successfully created a Hash rule via the Alerts method.
Hash Rule Creation via Policy Rules
- To create a Hash rule, first navigate to the Control Policies | Rules page.
- On the Rules page, click the Actions drop-down menu and select Add New Rule.
- On the New Policy Rule pop-up, the Rule Type defaults to SSH-MFA rules. Select HASH from the drop-down menu.
- Using the variety of features offered for this Rule Type, create a rule that fits the exact File access control action you want ZeroLock Hash to monitor.
Each field of the Hash Rule screen is described below:
Name 1 The name of the rule as it will appear on your Rules page, as well as when adding to a policy. Description 2 The description of the rule, as it will appear on your Rules page as well as when adding to a policy, is useful for explaining the purpose of the rule. Rule Type 3 Selecting what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation. Once the rule is created, this field cannot be edited. SHA-256 Hash 4 Place only the exact SHA-256 hash in this field that the rule will either block or allow. Action 5 Designate whether to block or allow the specified hash. - Once the Hash Rule is properly configured, click the Create button at the bottom of the New Policy Rule pop-up menu.

Applying the Hash Rule to a Policy
- Before implementing a rule on an endpoint, it must first be applied to a policy. Navigate to the Control Policies | Policies page. Then select the Add New Policy button.
- On the New Policy pop-up menu, give your new policy a name and description. There is one default SSH-MFA rule in place for any new policy, which creates an alert when an SSH connection is established. Other than an alert, no action is taken by this rule. This rule can be left in place or deleted from the new policy based on your preferred configuration.
To add the new Hash rule, click the Add Rules button. - On the Policy Rules menu, select any rules you want to add to the new policy. When all are selected, hit the Add Selected button at the bottom.
- When all preferred rules have been added to the policy, you can configure the order lockdown rules are evaluated. Lockdown rules (File Access, Network Access, and Program Execution rules) are evaluated top-to-bottom, with rules at the top resolving actions before moving to rules down the chain.
Like a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and stop evaluating any rules below it. If it does not match, it will pass to the next rule in line until a match. If no rules match, then the action is allowed.
- The newly created Hash policy will appear on the Policies page.
- To apply a policy to an endpoint, the policy must first be applied to an Endpoint Profile. Navigate to the Manage Endpoints | Endpoint Profiles. Once there, select Add New Profile.
- On the New Configuration Profile pop-up menu, you can configure exactly what actions ZeroLock will take for each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, and Tampering protection, as well as settings for all Hash Rules set to deny based on a SHA-256 hash.
Enter a name and description, navigate to the Default Control Policy, and, from the drop-down menu, select the preferred policy. Only one policy may be applied to a Configuration Profile at a time. When finished, select the Create button at the bottom of the menu.
- Once a Configuration Profile has been created, it must be applied to an endpoint so the settings can take effect. Navigate to the Endpoints page.
- On the Endpoints page, select the endpoint, or multiple endpoints, to apply the new configuration profile to. Then, click the Actions drop-down menu and select Set Endpoint Config.
- On the Set Endpoint Configs pop-up menu, select the created configuration profile from the drop-down menu, then select the Set Configs button.
- On the Endpoints page, you can see that the profile has been applied to an endpoint.
You have successfully created and applied a Hash rule to an endpoint.