File Creation Control rules are not working as expected on files, despite the rule pattern matching successfully.

• App Control Server: All Supported Versions
• App Control Agent: All Supported Version
• Microsoft Windows: All Supported Versions
• MacOS: All Supported Versions
• Linux OS: All Supported Versions

Not all files are discovered during the write to disk and some are discovered upon their first execution instead. The App Control console will have Discovery type events for these files with a description that includes a value like:

DiscoveredBy[Kernel:Execute]

Example:

Computer <hostname> discovered new file '/<path>/<filename>' [<hash>]. DiscoveredBy[Kernel:Execute] FileCreated[Wed May 29 11:39:20 2024 by <username>] Discovered[Wed May 29 11:39:20 2024 (Hash: Wed May 29 11:39:20 2024)]

File Creation Control rules will not work for files that already exist on disk, so an Execution Control Rule or File Rule would be other options to allow those files to execute or block based on the needed action.