Application Control Trust Entities

Currently, some trust rule properties only apply to agents on supported Windows platforms and are not yet available on Linux. For details, see Trust rule property limitations for Linux.

API documentation is available for trust rulesets.

The trust entities feature auto-authorizes software changes that match the properties of trust rules assigned to trust rulesets. Each trust rule contains one or more properties that define the parameters for auto-authorizing software changes.

By using the trust entities feature, you can proactively auto-authorize software changes on the agent thus reducing the number of software change events sent to Workload Security. For example, any agent undergoing regular OS updates creates several new software changes each time a patch is applied. By configuring appropriate trust rules and applying them to those agents, you can auto-authorize the software changes on the agent, and avoid having to manually manage them from the the Workload Security Actions tab or as Application Control security events.

To auto-authorize software changes using trust entities you'll need to configure trust rules, assign them to trust rulesets, and assign rulesets to policies or computers.

Throughout this article, the term "source" refers to the process that creates a software change. The term "target" is used when referring to the software change itself.

Trust rulesets

A trust ruleset consists of one or more user-configured trust rules. If you assign a trust ruleset to a policy or computer in Workload Security, the rules contained in that ruleset are applied to the related workloads and will auto-authorize any software changes that meet its rule property requirements.

Create a trust ruleset

To create a new trust ruleset, do one of the following:

From the Workload Security Policies tab:
  1. Go to Common Objects > Rules > Application Control > Trust Entities.
  2. In the Trust Rulesets section, select New.
  3. In the New Ruleset window, provide a name and (optionally) a description for the new ruleset.
  4. Select one or more of the trust rules in the list to assign them to your trust ruleset.
    Create a ruleset from the Policies tab
  5. Select OK.

The trust ruleset is created, containing any rules you assigned.

From the Workload Security Computers or Policies tab:
  1. Double-click a computer or policy (or right-click and select Details).
  2. Go to Application Control and make sure the Configuration is set to "On" or "Inherited (On)."
  3. In the Trust Ruleset dropdown list, select New.
    Computer or policy properties page with New selected from the Trust Entities drop-down list
  4. In the New Ruleset window, provide a name and (optionally) a description for the new ruleset.
    New Ruleset window
  5. Select one or more of the trust rules in the list to assign them to your trust ruleset and select Save to create the trust ruleset, containing any rules you assigned.
  6. (Optional) To assign the new trust ruleset to the computer or policy, select Save.

Instead of creating a trust ruleset from scratch, you can use the Duplicate button from the trust entity management window (Policies > Common Objects > Rules > Application Control > Trust Entities) to create a copy of an existing ruleset and then configure it to meet your needs.

Assign or unassign a trust ruleset

To assign a trust ruleset:
  1. From the Workload Security Computers or Policies tab, double-click a computer or policy (or right-click and select Details).
  2. Go to Application Control and make sure Configuration is set to "On" or "Inherited (On)."
  3. Select a Trust Ruleset from the dropdown list.
    Assign a Trust Ruleset
  4. Select Save.

The trust ruleset you selected is now assigned to the computer or policy.

To unassign a trust ruleset:
  1. Go to Common Objects > Rules > Application Control > Trust Entities and select the trust ruleset.
  2. In the "Trust Ruleset Properties" window displayed on the right, select the number next to "Assignments".
    A trust ruleset selected showing its properties and number of assignments
  3. In the "Assigned To" window, select a computer or policy.
    The Assigned To window showing policies and computers this trust ruleset is assigned to
  4. From the Application Control tab of the computer or policy window, unassign the ruleset by selecting "None" from the "Trust Ruleset" dropdown list.
    Application Control tab of the computer or policy showing "None" selected from the Trust Ruleset dropdown list
  5. Select Save.

The trust ruleset is no longer assigned to the computer or policy.

Delete a trust ruleset

  1. Go to Common Objects > Rules > Application Control > Trust Entities.
  2. In the Trust Rulesets section, select the ruleset you want to delete and select Delete.
  3. From the "Delete Ruleset" confirmation window, select OK.

    Delete Ruleset confirmation window

The trust ruleset is deleted.

A trust ruleset cannot be deleted if it is currently inherited by or assigned to a computer or policy. You must unassign a trust ruleset before it can be deleted.

Trust rules

A trust rule contains one or more properties that determine which software changes are auto-authorized by Application Control. Software changes that match the properties of a trust rule are auto-authorized and will not create events in Workload Security.

Any empty trust rule properties are treated as wildcards. While this gives you freedom in how you customize trust rules, it could also impact the security of your system. To maximize system security and prevent any unwanted software changes from being authorized, try to fill in as many properties as possible when creating trust rules. If you are unsure of the security impact a trust rule might have, check with someone who has a good knowledge of system security or contact Trend Micro before adding it to a trust ruleset.

Types of trust rules

When used in an ignore by source rule, the process name property is only supported for Deep Security Agent versions released after 20.0.0.3288 (20 LTS Update 2021-10-28).

  • Allow from source: An allow from source rule auto-authorizes processes with specific properties to create software changes.
  • Allow by target: An allow by target rule auto-authorizes any software changes that match specific properties.
  • Ignore from source: An ignore from source rule ignores software changes made by a specific process name, and/or made within specific paths.

Whenever an "allow from source" or "allow by target" trust rule auto-authorizes a software change, an entry is added to the local inventory of the agent where the change occured. This does not occur for "ignore from source" rules.

Create a trust rule

  1. Go to Common Objects > Rules > Application Control > Trust Entities.
  2. In the Trust Rules section, select New and select one of the trust rule types from the dropdown list.
  3. In the New Rule window, provide a name and (optionally) a description for the new rule.
  4. Select a property from the "Add Property" dropdown list to add it to the new rule.

    Add a property

  5. Type the value for the property in the box provided.

    Enter a property value

  6. (Optional) To add more properties to this trust rule, repeat steps 4 and 5.

  7. Select OK.

The new trust rule is created and ready to assign to a trust ruleset.

For help configuring trust rule property values, see Types of trust rule properties.

Select a trust rule (from Policies > Common Objects > Rules > Application Control > Trust Entities) and use Assign/Unassign to choose which trust rulesets to include it in. This can be especially useful if you want to quickly assign or unassign a new rule across many rulesets.

Change trust rule properties

  1. From the Workload Security Trust Entities tab (Policies > Common Objects > Rules > Application Control Rules > Trust Entities), select a rule and select Edit (or double-click a rule).

    Edit Rule window

  2. In the Edit Rule window, do one of the following:

    • To add a new property, select one from the Add Property dropdown list and fill in its value.
    • To edit an existing property, change the value in its text field.
    • To remove an existing property, select Remove.
  3. Select OK.

Delete a trust rule

  1. From the Workload Security Trust Entities tab (Policies > Common Objects > Rules > Application Control Rules > Trust Entities), select a rule and select Delete.
  2. Select OK to confirm the deletion.

    Delete Rule confirmation window

If you delete a trust rule that is currently assigned to any trust rulesets, it will automatically be unassigned from them following a warning prompt:
Delete rule confirmation window explaining that deleting a rule assigned to any rulesets will automatically unassign it from them

Types of trust rule properties

The properties and values included in a trust rule define which software changes are auto-authorized by that rule. The following sections detail the trust rule property types you can use to configure trust rules, including steps to help you find the information required to configure the property values.

Process Name

When used in an ignore from source rule, the process name property is only supported for Deep Security Agent versions released after 20.0.0.3288 (20 LTS Update 2021-10-28).

This property specifies the name of the process creating software changes. The process name must use the absolute path of the process, including its file name.

To find a process name of a software change:

  1. Go to Workload Security's Actions tab.
  2. Find and select the software change.

The process name will be displayed on the right under "Changed By Process" along with other details.

Paths

Do not include file names for the paths property. If you include file names in the path property, the trust rule it belongs to may not work as intended.

This property specifies the target paths applied to a trust rule. Application Control will auto-authorize software changes if they occur within a path entered for this property, including all subdirectories. You can set multiple paths separated by a semi-colon. For example, C:\Windows\;C:\Program Files\.

SHA-256

When used in an allow from source rule, this specifies the checksum (SHA-256) of the source process creating a software change. When used in an allow by target rule, it is the checksum (SHA-256) of the software change itself.

To find the SHA256, do one of the following:

From Windows PowerShell (for source or target):

Follow instructions in the Windows PowerShell command Get-FileHash.

From Workload Security (for target only):

From Workload Security's Actions tab, find and select the software change.

The SHA256 will be displayed on the right along under "SHA256" along with other details.

Vendor

This property (currently supported on Windows only) specifies the software vendor.

To find the vendor, do one of the following:

From File Explorer:
  1. From the directory containing the process or file, right-click on one of the properties displayed at the top of File Explorer (Name, Date modified, etc.) and select More.
  2. Select the Company checkbox and select OK.

The vendor will be displayed in the File Explorer window.

From Workload Security:

From Workload Security's Actions tab, find and select the software change.

The vendor will be displayed on the right under "Vendor" along with other details.

Product Name

This property (currently supported on Windows only) specifies the software product name.

To find the product name, do one of the following:

From file properties:
  1. From the directory containing the file, right-click the process or file and select Properties.
  2. From the Details tab, look at the value for "Product Name."
From File Explorer:
  1. From the directory containing the file, right-click on one of the properties displayed at the top of File Explorer (Name, Date modified, etc) and select More.
  2. Select the "Product name" checkbox and select OK.

The product name will be displayed in the "Product name" column.

From Workload Security:

From Workload Security's Actions tab, find and select the software change.

The product name will be displayed on the right under "Product Name" along with other details.

Signer Name

When used in an allow from source rule, this specifies the signer name of the source process creating a software change. When used in an allow by target rule, it is the signer name in the certificate that signed the target file.

This property (currently supported on Windows only) specifies the name of the company that signed the software certificate.

To find the certificate signer name:

  1. Right-click the process or file and select Properties.
  2. On the Digital Signatures tab, find the name of the signer in the Signature list table.

The signer name will be displayed under "Signer Name."

Issuer Common Name

This property (currently supported on Windows only) specifies the issuer common name (CN) of the signing software certificate.

To find the issuer common name:

  1. Right-click the process or file and select Properties.
  2. From the Digital Signatures tab, select the first certificate you see on the "Signature list."
  3. Select the certificate and select Details.
  4. Select View Certificate.
  5. Go to the Details tab and select the Issuer field.

If included in the certificate, the issuer "CN" will be displayed under "Issuer."

Issuer Organizational Unit

This property (currently supported on Windows only) specifies the issuer organizational unit (OU) of the software certificate.

To find the issuer organizational unit:

  1. Right-click the process or file and select Properties.
  2. From the Digital Signatures tab, select the first certificate you see on the signature list.
  3. Select the certificate and select Details.
  4. Select View Certificate.
  5. Go to the Details tab and select the Issuer field.

If included in the certificate, the issuer "OU" will be displayed.

Issuer Organization

This property (currently supported on Windows only) specifies the issuer organization (O) of the software certificate.

To find the issuer organization:

  1. Right-click the process or file and select Properties.
  2. From the Digital Signatures tab, select the first certificate you see on the signature list.
  3. Select the certificate and select Details.
  4. Select View Certificate.
  5. Go to the Details tab and select the Issuer field.

If included in the certificate, the issuer "O" will be displayed.

Issuer Locality

This property (currently supported on Windows only) specifies the issuer locality (L) of the software certificate.

To find the issuer locality:

  1. Right-click the process or file and select Properties.
  2. From the Digital Signatures tab, select the first certificate you see on the signature list.
  3. Select the certificate and select Details.
  4. Select View Certificate.
  5. Go to the Details tab and select the Issuer field.

If included in the certificate, the issuer "L" will be displayed.

Issuer State or Province

This property (currently supported on Windows only) specifies the issuer state or province (S) of the software certificate.

To find the issuer state or province:

  1. Right-click the process or file and select Properties.
  2. From the Digital Signatures tab, select the first certificate you see on the signature list.
  3. Select the certificate and select Details.
  4. Select View Certificate.
  5. Go to the Details tab and select the Issuer field.

If included in the certificate, the issuer "S" will be displayed.

Issuer Country

This property (currently supported on Windows only) specifies the issuer country (C) of the software certificate.

To find the issuer country:

  1. Right-click the process or file and select Properties.
  2. From the Digital Signatures tab, select the first certificate you see on the signature list.
  3. Select the certificate and select Details.
  4. Select View Certificate.
  5. Go to the Details tab and select the Issuer field.

If included in the certificate, the issuer "C" will be displayed.

Trust rule property limitations for Linux

Adding trust rules that are not currently supported on Linux will result in the rules not applying for any software changes.

The following trust rule properties are not currently supported for Linux:

  • Signer Name
  • Product Name
  • Issuer Common Name
  • Issuer Organizational Unit
  • Issuer Organization
  • Issuer Locality
  • Issuer State or Province
  • Issuer Country
  • Vendor

Only the following trust rule properties are currently supported for Linux:

  • Process Name
  • Paths
  • SHA-256