What is the order of precedence for the different types of software rules in App Control?
Environment
App Control Console : All Supported Versions
Resolution
Note: Custom Rules, Hash-based Rules, and Trusted Users are different approval methods that run in parallel and can trigger at the same time.
Custom Rules are pattern based approval/block methods that rank in the following order:
Tamper Protection built-in Rules
Updaters and Rapid Configs built-in Rules
User-created Custom Rules
Internal Custom Rules (e.g. Block Executions of Unapproved or Banned Hashes)
Hash-based rules are approval/ban methods where a hash value is being used to change the state of files
Global/Local File Rules
Trusted Directory Rules
Reputation Approvals of Files or Publishers
Publisher and Certificates Rules
Trusted Users is an approval method where the specified user or group SID number is used to approve/allow files to run
Additional Information
The ability to have multiple approval methods better ensures that files get approved and reduces the chance of unexpected blocks.
When multiple approvals trigger for the same file, agents may coalesce the data into one event to reduce noise.
For example: If a File is Approved by both Publisher and Custom Rule then the agent will report single event with subtype "File Approval by Publisher", but that will also include the Custom Rule that approved it.
Within the Custom Rules there are out of the box internal rules that cannot be deleted.
User created Custom rules can either be set above or below the internal rules.
One scenario may call for a Custom Rule to sit above the internal "Block banned files" or "Block unapproved files" and another scenario may call for it to be below.
If a file is Locally or Globally Approved, and an Execution Block Rule is created by the user to block the same file, then the file would be blocked.
The opposite is true as well, if a file is Locally or Globally Banned, an Execution Allow Rule is created that sits above the internal "Block banned file hashes" rule, the the file will run
This is so that user created rules can override the built in behavior of the App Control agent, if desired.