The Application Control Trust Entities feature is part of a controlled release and is in preview. Content on this page is subject to change.

Application Control Trust Entities

Currently, some trust rule properties related to signer certificates only apply to agents on supported Windows platforms and are not yet available on Linux. For details, see Trust rule property limitations for Linux.

The Application Control trust entities feature automatically approves software changes based on previously configured trust rulesets. A trust ruleset is a set of trust rules, each of which can be customized using various properties. Application Control automatically authorizes software changes for any trust rule that is part of an active trust ruleset, as long as all of the rule's properties are met.

Trust rulesets

A trust ruleset consists of a set of user-selected trust rules.

When you assign a trust ruleset to a policy or computer in Workload Security, the rules within that ruleset are applied to the related workload.

Create a trust ruleset

A trust ruleset requires at least one trust rule. If no trust rules exist, you will have to create a trust rule before you can create a trust ruleset.

To create a new trust ruleset, do one of the following:

From the Workload Security Policies tab:
  1. Go to Common Objects > Rules > Application Control > Trust Entities.
  2. In the Trust Rulesets section, select "New."
  3. In the New Ruleset window, provide a name and (optionally) a description for the new ruleset.
  4. Select one or more of the trust rules in the list to assign them to your trust ruleset.
  5. Select "Save."

The trust ruleset is created, containing the rules you assigned.

From the Workload Security Computers tab:
  1. Double-click a computer (or right-click and select Details).
  2. Go to Application Control and make sure the Configuration is set to "On" or "Inherited (On)."
  3. From the Trust Entities Trust Ruleset dropdown menu, select "New."
  4. In the New Ruleset menu, provide a name and (optionally) a description for the new ruleset.
  5. Select one or more of the trust rules in the list to assign them to your trust ruleset.
  6. Select "Save."

The trust ruleset is created, containing the rules you assigned.

Assign a trust ruleset

To assign a trust ruleset to a computer:
  1. From the Workload Security Computers tab, double-click a computer (or right-click and select Details).
  2. Go to Application Control and make sure the "Configuration" is set to "On" or "Inherited (On)."
  3. From the Trust Entities section, select a Trust Ruleset from the dropdown menu
  4. Select "Save"

The trust ruleset you selected is now assigned to the computer.

To assign a trust ruleset to a policy:
  1. From the Workload Security Policies tab, double-click a policy (or right-click and select "Details").
  2. Go to Application Control and make sure the "Application Control State" is set to "On."
  3. From the Trust Entities section, select a trust ruleset from the dropdown menu.
  4. Select "Save."

The trust ruleset you selected is now assigned to the policy.

Trust rules

A trust rule contains one or more properties determining which software changes Application Control will automatically authorize. Software changes that match every property for a trust rule are auto-authorized and do not create events in Workload Security.

Any empty trust rule properties are treated as wildcards. While this gives you freedom in how you customize trust rules, it could also impact the security of your system. To maximize system security and prevent any unwanted software changes from being approved, try to fill in as many properties as possible when creating trust rules. If you are unsure of the security impact a trust rule might have, check with someone who has a good knowledge of system security or contact Trend Micro before adding it to a trust ruleset.

Trust rule types

A trust rule's type determines how Application Control uses the rule's properties to determine which software changes will be automatically authorized.

Allow from source: This type of rule automatically authorizes processes with specific properties to create software changes. If added to a trust ruleset, any processes matching the properties for an "Allow from source" rule can create software changes without creating an event in Workload Security.

Allow from source rules must include the "Process Name" property.

Allow by target: This type of rule automatically authorizes software changes with specific properties. If added to a trust ruleset, any software changes matching the properties of an "Allow by target" rule are auto-authorized without creating an event in Workload Security.

Allow by target rules cannot include the "Process Name" property.

Ignore by path: This type of rule ignores software changes under one or more specific paths, including all subdirectories. If added to a trust ruleset, any software changes created within the set paths of an "Ignore by path" rule are auto-authorized without creating an event in Workload Security.

Ignore by path rules only check the paths contained in their paths property. Do not include file names in the path or its trust rule will not work as intended.

Create a trust rule

To create a new trust rule:

  1. From the Workload Security Policies tab, go to Common Objects > Rules > Application Control > Trust Entities.
  2. In the Trust Rules section, select "New" and select one of the trust rule types from the dropdown menu.

    For more details, see Trust rule types.

  3. In the New Rule window, provide a name and (optionally) a description for the new rule.

  4. Select "Add Property" and select one of the properties from the dropdown menu to assign it to the trust rule.
  5. Type the value for the property in its text field.

    For details on properties and how to set their values, see Trust rule properties.

  6. Repeat Step 4 and Step 5 (above) to add any additional properties you want assigned to this trust rule.

  7. Select "OK."

The new trust rule is created, containing the property (or properties) you assigned.

Trust rule properties

The following sections detail the trust rule properties you can use to create a trust rule, including steps to help find the information needed to define the properties.

Application Control handles properties differently depending on a trust rule's type. For details, see Trust rule types.

Process Name

This property specifies the name of the process creating software changes. The process name must use the absolute path of the process, including its file name.

To find a process name of a software change that has already been detected by Workload Security:
  1. Go to Workload Security's Actions tab.
  2. Find and select the software change.

The process name (or "file name") and its install paths will be displayed on the right along with other details.

Paths

This property specifies the target paths applied to a trust rule. Application Control will allow software changes if they occur within a path entered for this property, including all subdirectories. You can set multiple paths separated by a semi-colon. For example, C:\Windows\;C:\Program Files\.

SHA-256

This specifies the checksum (SHA-256) of a process creating a software change, or a file that is the target of a software change.

To find the SHA256, do one of the following:
From Windows PowerShell:

Follow instructions in the Windows PowerShell command Get-FileHash.

From Workload Security:

This method only works for software changes that Workload Security has previously detected.

From Workload Security's Actions tab, find and select the software change.

The SHA256 will be displayed on the right along with other details.

Signer Name

This property (currently supported on Windows only) specifies the name of the Certificate Authority (CA) that signed the software certificate.

To find the certificate signer name:
  1. Right-click the process or file and select "Properties."
  2. From the Digital Signatures tab, select the first entry of the "Signature list" table in the "Name of signer" column.

The signer name (or certificate authority (CA)) will be displayed.

Product Name

This property (currently supported on Windows only) specifies the product name on the software certificate.

To find the product name, do one of the following:
From file properties:
  1. From the directory containing the file, right-click the process or file and and select "Properties."
  2. From the Details tab, look at the value for "Product Name."
From File Explorer:
  1. From the directory containing the file, right-click on one of the properties displayed at the top of File Explorer (Name, Date modified, etc) and select "More..."
  2. Select the "Product name" checkbox and select "OK."

The product name will be displayed in the "Product name" column.

From Workload Security:

This method only works for Allow by target type rules, and only for software changes that have been previously detected by Workload Security.

From Workload Security's Actions tab, find and select the software change.

The product name will be displayed on the right along with other details.

Issuer Common Name

This property (currently supported on Windows only) specifies the issuer common name (CN) on the software certificate.

To find the issuer common name:
  1. Right-click the process or file and select "Properties."
  2. From the Digital Signatures tab, select the first certificate you see on the "Signature list."
  3. Select "Details."
  4. Select "View Certificate."
  5. Go to the Details tab and select the "Issuer" field.

The issuer "CN" will be displayed.

Issuer Organizational Unit

This property (currently supported on Windows only) specifies the issuer organizational unit (OU) on the software certificate.

To find the issuer organizational unit:
  1. Right-click the process or file and select "Properties."
  2. From the Digital Signatures tab, select the first certificate you see on the "Signature list."
  3. Select "Details."
  4. Select "View Certificate."
  5. Go to the Details tab and select the "Issuer" field.

The issuer "OU" will be displayed.

Issuer Organization

This property (currently supported on Windows only) specifies the issuer organization (O) on the software certificate.

To find the issuer organization:
  1. Right-click the process or file and select "Properties."
  2. From the Digital Signatures tab, select the first certificate you see on the "Signature list."
  3. Select "Details."
  4. Select "View Certificate."
  5. Go to the Details tab and select the "Issuer" field.

The issuer "O" will be displayed.

Issuer Locality

This property (currently supported on Windows only) specifies the issuer locality (L) on the software certificate.

To find the issuer locality:
  1. Right-click the process or file and select "Properties."
  2. From the Digital Signatures tab, select the first certificate you see on the "Signature list."
  3. Select "Details."
  4. Select "View Certificate."
  5. Go to the Details tab and select the "Issuer" field.

The issuer "L" will be displayed.

Issuer State/Province

This property (currently supported on Windows only) specifies the issuer state/province (S) on the software certificate.

To find the issuer state/province:
  1. Right-click the process or file and select "Properties."
  2. From the Digital Signatures tab, select the first certificate you see on the "Signature list."
  3. Select "Details."
  4. Select "View Certificate."
  5. Go to the Details tab and select the "Issuer" field.

The issuer "S" will be displayed.

Issuer Country

This property (currently supported on Windows only) specifies the issuer country (C) on the software certificate.

To find the issuer country:
  1. Right-click the process or file and select "Properties."
  2. From the Digital Signatures tab, select the first certificate you see on the "Signature list."
  3. Select "Details."
  4. Select "View Certificate."
  5. Go to the Details tab and select the "Issuer" field.

The issuer "C" will be displayed.

Company Name

This property (currently supported on Windows only) specifies the company name on the software certificate.

To find the company name, do one of the following:
From File Explorer:
  1. From the directory containing the process or file, right-click on one of the properties displayed at the top of File Explorer (Name, Date modified, etc.) and select "More..."
  2. Select the "Company" checkbox and select "OK."

The Company Name will be displayed in the File Explorer window.

From Workload Security:

This method only works for "Allow by target" type rules, and only for software changes that have been previously detected by Workload Security.

From Workload Security's Actions tab, find and select the software change.

The company name will be displayed on the right under "Vendor" along with other details.

Trust rule property limitations for Linux

Adding trust rules that are not currently supported on Linux will result in the rules not applying for any software changes.

The following trust rule properties are not currently supported for Linux:

  • Signer Name
  • Product Name
  • Issuer Common Name
  • Issuer Organizational Unit
  • Issuer Organization
  • Issuer Locality
  • Issuer State/Province
  • Issuer Country
  • Company Name

Only the following trust rule properties are currently supported for Linux:

  • Process Name
  • Paths
  • SHA-256