With OSArmor you can write exclusion rules to allow a blocked process to run.
By using simple variables like %PROCESS% you can match many process fields, including process, parent
process, command-line, signer, MD5 hash, process integrity, and much more.
This allows you to create smart exclusion rules to safely allow a process behavior that is blocked by OSArmor.
Match multiple fields (e.g: process and signer) to create safe rules.
; Allow any process located in a specific folder [%PROCESS%: C:\Allowed\*] ; Allow processes signed by Company XYZ located in C:\Folder\ [%SIGNER%: Company XYZ] [%PROCESS%: C:\Folder\*] ; Allow execution of MSI installers signed by Company Name XYZ [%MSISIGNER%: Company Name XYZ] ; Allow execution of MSI installers located in a specific folder [%MSIFILE%: C:\Users\Admin\Desktop\Allowed MSI\*.msi] ; Allow Internet Explorer to run notepad.exe (child process) [%PARENTPROCESS%: *\iexplore.exe] [%PROCESS%: C:\Windows\System32\notepad.exe] ; Allow process example.exe to run any process located in a specific folder [%PARENTPROCESS%: *\example.exe] [%PROCESS%: C:\Folder\*] ; Allow any process that matches a command-line using wildcard [%PROCESSCMDLINE%: */param1*/param2*] ; Allow unsigned processes located in a specific folder [%SIGNER%: <NULL>] [%PROCESS%: C:\Folder\*] ; Allow process example.exe with a specific command-line [%PROCESS%: *\example.exe] [%PROCESSCMDLINE%: */safecommand*/anothercommand*] ; Allow user John to run any process located in a specific folder [%USER%: John] [%PROCESS%: C:\John\*] ; Allow processes that match a MD5 hash [%PROCESSMD5HASH%: 26E6C0412562419ADB462CA9018262F2] ; Allow all processes located in a folder but not in sub-folders [%PROCESSFILEPATH%: C:\Folder\] ; Allow processes signed by Company Test LLC [%SIGNER%: Company Test LLC]
%PROCESS% : C:\WINDOWS\system32\notepad.exe %PROCESSMD5HASH% : 16E6C0412562419ADB462CA9018262F1 %PROCESSFILENAME% : notepad.exe %PROCESSFILEPATH% : C:\WINDOWS\system32\ %PROCESSCMDLINE% : "C:\WINDOWS\system32\notepad.exe" /testing %SIGNER% : <NULL> %SYSTEMFILE% : True %PROCESSINTEGRITY% : Medium %USER% : John %DOMAIN% : DESKTOP-ROH2DAZ %PARENTPROCESS% : C:\Windows\explorer.exe %PARENTMD5HASH% : 23E6C0412562419ADB462CA9018262F2 %PARENTFILENAME% : explorer.exe %PARENTFILEPATH% : C:\Windows\ %PARENTSIGNER% : Microsoft Windows %PARENTSYSTEMFILE% : True %PARENTINTEGRITY% : Medium %MSIFILE% : C:\Users\Admin\Desktop\winzip25-installer.msi %MSISIGNER% : Corel Corporation
%PARENTINTEGRITY% can be the following:
Untrusted, Low, Medium, Medium Plus, High, System, Protected, Unknown.
%PARENTSYSTEMFILE% (BOOL type) can be the following: False, True.
To match a unsigned
process or parent process just use
Don't forget that you can try OSArmor application for 30-days
(no credit card is required). Just download and install the software on your computer,
you can use it and test it for 1 entire month.