Views:
A trust rule contains one or more properties that determine which software changes are auto-authorized by Application Control. Software changes that match the properties of a trust rule are auto-authorized and will not create events in Workload Security.
Any empty trust rule properties are treated as wildcards. While this gives you freedom in how you customize trust rules, it could also impact the security of your system. To maximize system security and prevent any unwanted software changes from being authorized, try to fill in as many properties as possible when creating trust rules. If you are unsure of the security impact a trust rule might have, check with someone who has a good knowledge of system security or contact Trend Micro before adding it to a trust ruleset.
Currently, some trust rule properties only apply to agents on supported Windows platforms and are not yet available on Linux. For details, see Trust rule property limitations for Linux.

Types of trust rules Parent topic

  • Allow from source rule permits a trusted updater or installer process to install new software on the system. Authorized executable files created by the trusted updater are automatically approved. To use this rule, you need to specify the properties of the source, such as a process or installer, in the rule. In addition, you need to restrict the process to only creating authorized software in specified directories using the paths attribute. Applying this rule minimizes software change events on the Actions page.
The Allow from source rule is evaluated during software creation and must be in place prior to running the installer.
  • Allow by target rule permits an executable file to run if it matches the specified properties. The properties you specify in the rule must match the properties of the target, such as an executable file. This rule is evaluated at the time of execution, therefore it can be applied after a security event is detected for the file on the Alerts page.
  • Block by target rule prevents an executable file from running if it matches the specified properties. The properties specified in the rule must match the properties of the target, such as an executable file. This rule is evaluated at the time of execution, therefore it can be applied after a security event is detected for the file on the Alerts page.
    Block by target rules are supported for Deep Security Agent 20.0.0-3288 or later.
  • Ignore from source rule sets up a process exclusion, enabling the specified process to execute or create software in designated directories without being monitored by Application Control. When the exclusion rule is removed, the exclusion is immediately lifted. If you only specify the paths with Ignore by source rules, any process can execute or create software in those directories without being monitored by Application Control. This option should only be used if Application Control scanning is causing compatibility problems (for example, performance issues or sharing violations) with some of the processes or paths. The Ignore from source rule overrides any global rules created using the Workload Security API. For more information on global rules, see Use the API to create shared and global rulesets.
Every time an Allow from source rule auto-authorizes a software change, an entry is added to the local inventory of the agent where the change occurred. This does not take place for Ignore from source rules.

Create a trust rule Parent topic

  1. Go to Common Objects Rules Application Control Rules Trust Entities.
  2. In the Trust Rules section, select New, and then select one of the trust rule types from the list.
  3. In the New Rule window, provide a name and (optionally) a description for the new rule.
  4. Select a property from the Add Property list to add it to the new rule.
    application-control-trust-entities-createruleaddproperty=eacfd97a-ce4d-49bc-8306-abf6f8493633.png
  5. Type the value for the property in the provided field.
    application-control-trust-entities-createruleenterpropertyvalue=f2d77d7c-b2ae-416d-8e2a-78da1d8ed08e.png
  6. Optionally, add more properties to this trust rule by repeating steps 4 and 5.
  7. Click OK.
The new trust rule is created and ready to assign to a trust ruleset.
For information on configuring trust rule property values, see Types of trust rule properties.
Tip
Tip
Select a trust rule (from Policies Common Objects Rules Application Control Rules Trust Entities) and use Assign/Unassign to define in which trust rulesets to include this trust rule. This can be especially useful if you want to quickly assign or unassign a new rule across many rulesets.

Change trust rule properties Parent topic

  1. From the Workload Security Trust Entities tab (Policies Common Objects Rules Application Control Rules Trust Entities), select a rule, and then select Edit (or double-click a rule).
    application-control-trust-entities-changeproperties=4f0daa18-cf18-444c-aeaa-a882bdb22a0a.png
  2. In the Edit Rule window, do one of the following:
    • To add a new property, select one from the Add Property list and fill in its value.
    • To edit an existing property, change the value in its field.
    • To remove an existing property, select Remove.
  3. Click OK.

Delete a trust rule Parent topic

  1. From the Workload Security Trust Entities tab (Policies Common Objects Rules Application Control Rules Trust Entities), select a rule and select Delete.
  2. Confirm the deletion by clicking OK on the Delete Rule dialog.
    application-control-trust-entities-deleterule=83d57ebf-f262-429b-88f7-c9798fcd9dde.png
    If you delete a trust rule that is currently assigned to any trust rulesets, it is automatically unassigned from them following a warning prompt:
    application-control-trust-entities-deleteassignedrule=b25d4e9c-0cbf-4d37-ad53-12e25d653d58.png