Steps to create an Execution Control (Allow) Rule using Events in the Console. Some examples of when this can be beneficial include:

• The file creation is not observed by the Agent.
• Agent is reporting Unanalyzed or Still Analyzing Events on the files.
• Files are not signed (or incorrectly signed) by a Publisher.

• App Control Agent: All Supported Versions
• App Control Console: All Supported Versions

Step 1: Determine Matching Process and File Patterns:

1. Log in to the Console and navigate to Reports > Events.
2. Use the Filters or Saved Views to locate the matching Events, examples:
   • Saved View: Blocked Files (All)  <and/or>
   • Filters: File Path > begins with:
3. Use the Columns for Process, File Path, File Name and User to help create the Execution Control Rule.

Step 2: Create the Custom Rule:

1. Navigate to Rules > Software Rules > Custom > Add Custom Rule.
2. Using the information determined in Step 1, create a Custom Rule using the following as an example:
   • Rule Name: Accounting Software (Unanalyzed)
   • Status: Enabled
   • Platform: Windows
   • Rule Type: Execution Control
   • Write Action: Allow
   • Path or File: 

     C:\Program Files (x86)\Acme Accounting, Inc\*.dll

   • Process: 

     C:\Program Files (x86)\Acme Accounting, Inc\AcmeDashboard.exe

   • User or Group: Any User
   • Policies: <relevant Policies where software is expected>
3. Click Save & Exit.