Using Application Path rules is a flexible way to apply a rule to the following:
- A specific application path, example: c:\Program Files\MyApp\myapp.exe
- All files in a specific folder, example: c:\Program Files\MyApp\*
- All files in a specific folder and sub-folders, example: c:\Program Files\MyApp\**
- All files in a specific sub-folder, when ancestor folder is unknown, example, for any user name: c:\Users\*\Desktop\build\**
These Examples are for MAC:
- For simple recursive rules, use the following for best sensor performance when defining MAC policies
/users/*/Documents
- Recursive Wild Card Matching
/users/*/Documents/**
- Recursive Prefix Matching
/users/*/**/*.dmg
/Applications/Lion.app/**/*.py
- Non Recursive Wild Card Matching
/users/*/Documents/*
- These two examples result in the same behavior, but the second one is a little cleaner on the syntax
/Applications/Lion.app/**/*
/Applications/Lion.app/**
- This example would indicate exactly 3 level directories and will not match anything in level 2 or 4
/Applications/Lion.app/*/*/*
Specifically: /Applications/Lion.app/a/b/c
These examples are for Windows:
Example 1:
- **\Program Files\Custom App Suite\App*\App*.exe
- **\Program Files\Custom App Suite\**
- **\Program Files\Custom App Suite\App*
Example 2:
- **\Windows\Microsoft.NET\Framework64\*\mscorsvw.exe
- **\Windows\Microsoft.NET\Framework64\*\mscorsvw.*
- **\Windows\Microsoft.NET\Framework64\*\ms*.*
- The first ** is intended to match \\Device\Volume0\ or C:. There is a single * that is intended to match multiple releases number. So this would omit "mscorsvw.exe" from many different folders.
- If we do * in the end - that would be anything within a directory. e.g. **\Program Files\Custom App Suite\*
- If we do ** in the end - that matches anything within the subtree. e.g. **\Program Files\Custom App Suite\**
Application Path Rules – different notations:
The following 3 types of notations are supported (this is Mac/Unix example):
1.) File notation:
- /usr/bin/gcc
-
- Note: This is a simple case. The rule will apply only to the single file/application.
2.) Directory Prefix notation:
- Note: This type of rule will apply to all files and subdirs in a folder recursively. Using the directory prefix notation is the easiest way to apply a rule to all files in a folder and all sub-folders, without using the more complicated Glob Matching notation.
- Example: /opt/my_dev_tools/
- Note the trailing path separator to indicate a directory. This is a preferred way of defining a rule to an equivalent Glob Matching / wild-card notation (better performance on the sensor and good practice to minimize * and ** if possible).
3.) Glob Matching / Wild-card notation:
- The glob matching notation contains at least one single * or double ** asterisk.
- A single * asterisk will match everything up to the next path separator. It can be applied to generalize a folder or file name.
- Example: c:\Program Files\Visual Studio 8\*.exe
- Note: Applies to all files with .exe extensions in c:\Program Files\Visual Studio 8 folder.
- Example: c:\Program Files\Visual Studio*\*.exe
- Note: Applies to files with .exe extensions, in c:\Program Files sub-folders with names starting with “Visual Studio”
- A double ** asterisk will match everything across multiple path separators, until a match is found. Typically, ** is used to apply a rule to files in sub-directories recursively.
- Example: **\Program Files\Visual Studio\**
- Note: Applies to all files in C:\Program Files\Visual Studio and its sub-folders.
- Example: **\Visual Studio\**
- Applies to all files in Visual Studio folder and its sub-folders, regardless of the location of the Visual Studio folder.
- Single * and double ** asterisks can be combined to form a single rule:
- Example: /Users/*/Desktop/my_dev_tools/**
- Note: This rule applies to all files in my_dev_tools folder and sub-folders, for any user.