Rules
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Rules

      How to Create and Apply a Program Execution Rule

      Program Execution rules allow the system administrator to restrict what programs are executed on a system.

      Once a Configuration Profile has been created, it must be applied to a ZeroLock® endpoint so the settings can take effect.  The following steps walk through the process of rule creation.

      Rule Creation

      1. To create a Program Execution rule, navigate to the Control Policies | Rules page, click the Actions drop-down menu, and select Add New Rule.
        Step_1_Actions_Add New Rule-1

      2. On the New Policy Rule pop-up, select the drop-down menu then Program Execution.
        Step_2_ New Policy Rule Selection

      3. Using the variety of features offered for this Rule Type, craft a rule that fits the exact program execution control action you want ZeroLock to monitor.
        Step_3_New Policy Rule create_KB-2

        Each field of the Program Execution Rule is described below:

        Name

        1

        The name of the rule as it will appear on your Rules page as well as when adding to a policy. 

        Description

        2

        The description of the rule as it will appear on your Rules page as well as when adding to a policy. It is useful for explaining the purpose of the rule.

        Rule Type

        3

        Selecting what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation.

        Once the rule is created, this is the only field that can no longer be edited.

        Source Type

        4

        Select between ProcessExecutable, or Command.

        Process - will trigger based on the name of the process (either child, parent process, or both, as defined in "Scope" below) running in memory.

        Executable - will trigger based on the actual program's filename running in directories such as /bin, /sbin, and others.

        Command  - will trigger based on the full command line arguments used to launch a process.

        Source Process/
        Executable/ Command

        5

        Designate the Regex that matches the ProcessExecutable, or Command to be allowed or blocked from executing another specific ProcessExecutable, or Command. This allows for some granularity of allowing some processes to execute a program but not others. If you do not want ANY process executing your target program, put a .* in this field.

        Target Type

        6

        Select between ProcessExecutable, or Command.

        Process - will trigger based on the name of the process (either child, parent process, or both, as defined in "Scope" below) running in memory.

        Executable - will trigger based on the program's filename running in directories such as /bin, /sbin, and others.

        Command - will trigger based on the name of the shell command used to launch and process or executable. 

        Target Process/
        Executable/ Command 

        7

        Designate the Regex that matches the actual ProcessExecutable, or Command to be allowed or blocked from executing.

        Scope

        8

        Specifies if the rule applies to the ProcessExecutable, or Command occurring as a parent process and/or a child of another process.

        Block Operation

        9

        Designate whether or not the source ProcessExecutable, or Command will be Blocked or Allowed from making a connection. Checking the box Blocks, while leaving it unchecked Allows the connection.

        Alert Level

        10

        When this rule triggers, designate whether the alert on the Alerts page will be a Low, Medium, or High-level alert.

        Send Email Alerts

        11

        When this rule triggers, designate whether it will send an email alert to all Users assigned to the Endpoint Group of the endpoint that this rule triggered on. Email alerts can be configured on the System Configuration | System Settings page. 

        Note: The SMTP server must be configured under System Settings. Emails will be sent to all ZMC users.

        Response Type

        12

        When this rule triggers, designate what response actions ZeroLock will take.

        Do Nothing will simply trigger an alert on the Alerts page where an administrator can Release the alert or choose to manually Kill & Remediate the triggering connection.

        Suspend will lock the triggering connection but not end it immediately, waiting for an administrator to choose to Release the alert and allow the connection to continue or to Kill & Remediate it.

        Kill will automatically end the connection, but any actions taken by the connection will remain in place.

        Finally, Remediate will end the connection and remediate any actions taken on the system by restoring the system to an unaltered state using the backup cache.

        Auto Quarantine

        13

        When this rule triggers, designate whether the endpoint will be automatically set to Quarantine until an administrator manually Unquarantine the endpoint on the Endpoints page.
      4. Once the Program Execution Rule is properly configured, click the Create button at the bottom of the New Policy Rule pop-up menu.
        Step_4_New Policy Rule Created

      Warning:  When creating a New Policy Rule, clicking outside the border of the form will return you to the Policy Rules screen where you must start the process again by selecting Add New Rule from the Actions menu.

      Add New Policy

      Before implementing a rule onto an endpoint, it must first be applied to a policy. 

      1. Navigate to the Control Policies | Policies page and select Add New Policy.
        Step_1_Policies_Add New Policy

      2. On the New Policy dialog box, give your new policy a name and description. To add the new program execution rule, click the Add Rules button.
        Step_2_Add Rules

      3. Selecting the Add Rules button brings up the available policy rules.  Select the Program Execution rule you created and click Add Selected.Step_3_Add Rules_Selection


      4. The following screen appears when Add Selected is chosen.  The final step is to select Create and a new policy is created. Step_4_Rule Added_Create

       

      Configuration Profile Creation

      To apply a policy to an endpoint, the policy must first be applied to a Configuration Profile.

      1. Navigate to the System Configuration | Config Profiles page and select the Add New Profile button.
        Step_1_Config Profiles Page


      2. On the New Configuration Profile pop-up menu, you can configure exactly what actions ZeroLock® will take for each protection engine. Settings can be fine-tuned for Ransomware, Cryptojacking, and Tampering protection, and for all Hash Rules set to deny based on an SHA-256 hash.
        To apply the policy created, navigate to the Default Control Policy drop-down menu, and select the preferred policy. Only one policy may be applied to a Configuration Profile at a time. Once complete, select the Create button at the bottom of the menu.Step_2_New Config Profile_Default Control Policy-1

      Assigning a Configuration Profile to an Endpoint

      Once a Configuration Profile has been created, it must be applied to an endpoint so the settings can take effect.

      1.  Navigate to the Endpoints page.
        Step_1_Endpoints Homepage

      2. On the Endpoints page, select the endpoint or multiple endpoints that you want to apply the new configuration profile to. Then, click the Actions drop-down menu and select Set Endpoint Config.
        Step_1_Set Endpoint Config-2

      3. On the Set Endpoint Configs pop-up dialog box, select the created configuration profile from the drop-down menu. Then hit the Set Configs button.
        Step_3_Set Endpoint Configs-1

      4. Return to the Endpoints page to verify Agent endpoint(s) is properly configured with the desired profile, rules and policies.Step_4_Profile Applied to Endpoint


      You have successfully created and applied a Program Execution Rule.