Videos Changelog Newsletter Enterprise Status

Exclusion Rules

With OSArmor you can write exclusion rules to allow a blocked process to run.
By using simple variables like %PROCESS% you can match many process fields, including process, parent
process, command-line, signer, MD5 hash, process integrity, and much more.
This allows you to create smart exclusion rules to safely allow a process behavior that is blocked by OSArmor.
Match multiple fields (e.g: process and signer) to create safe rules. 

; Allow any process located in a specific folder
[%PROCESS%: C:\Allowed\*]

; Allow processes signed by Company XYZ located in C:\Folder\
[%SIGNER%: Company XYZ] [%PROCESS%: C:\Folder\*]

; Allow execution of MSI installers signed by Company Name XYZ
[%MSISIGNER%: Company Name XYZ]

; Allow C:\Program Files\Firefox\update.exe and assign a name to the rule
[%PROCESS%: C:\Program Files\Firefox\update.exe] [%RULENAME%: Related to Firefox updates]

; Allow execution of MSI installers located in a specific folder
[%MSIFILE%: C:\Users\Admin\Desktop\Allowed MSI\*.msi]

; Allow Internet Explorer to run notepad.exe (child process)
[%PARENTPROCESS%: *\iexplore.exe] [%PROCESS%: C:\Windows\System32\notepad.exe]

; Allow process example.exe to run any process located in a specific folder
[%PARENTPROCESS%: *\example.exe] [%PROCESS%: C:\Folder\*]

; Allow any process that matches a command-line using wildcard
[%PROCESSCMDLINE%: */param1*/param2*]

; Allow unsigned processes located in a specific folder
[%SIGNER%: <NULL>] [%PROCESS%: C:\Folder\*]

; Allow process example.exe with a specific command-line
[%PROCESS%: *\example.exe] [%PROCESSCMDLINE%: */safecommand*/anothercommand*]

; Allow user John to run any process located in a specific folder
[%USER%: John] [%PROCESS%: C:\John\*]

; Allow processes that match a MD5 hash
[%PROCESSMD5HASH%: 26E6C0412562419ADB462CA9018262F2]

; Allow all processes located in a folder but not in sub-folders
[%PROCESSFILEPATH%: C:\Folder\]

; Allow processes signed by Company Test LLC
[%SIGNER%: Company Test LLC]

%RULENAME%         : Assign a name to your rule
%PROCESS%          : C:\WINDOWS\system32\notepad.exe
%PROCESSMD5HASH%   : 16E6C0412562419ADB462CA9018262F1
%PROCESSFILENAME%  : notepad.exe
%PROCESSFILEPATH%  : C:\WINDOWS\system32\
%PROCESSCMDLINE%   : "C:\WINDOWS\system32\notepad.exe" /testing
%SIGNER%           : <NULL>
%SYSTEMFILE%       : True
%PROCESSINTEGRITY% : Medium
%USER%             : John
%DOMAIN%           : DESKTOP-ROH2DAZ
%PARENTPROCESS%    : C:\Windows\explorer.exe
%PARENTMD5HASH%    : 23E6C0412562419ADB462CA9018262F2
%PARENTFILENAME%   : explorer.exe
%PARENTFILEPATH%   : C:\Windows\
%PARENTSIGNER%     : Microsoft Windows
%PARENTSYSTEMFILE% : True
%PARENTINTEGRITY%  : Medium
%MSIFILE%          : C:\Users\Admin\Desktop\winzip25-installer.msi
%MSISIGNER%        : Corel Corporation

%PROCESSINTEGRITY% & %PARENTINTEGRITY% can be the following:
Untrusted, Low, Medium, Medium Plus, High, System, Protected, Unknown. %SYSTEMFILE% & %PARENTSYSTEMFILE% (BOOL type) can be the following: False, True. To match a unsigned
process or parent process just use <NULL>, example: [%SIGNER%: <NULL>]
or [%PARENTSIGNER%: <NULL>]

Try OSArmor for 30 Days

Don't forget that you can try OSArmor application for 30-days
(no credit card is required). Just download and install the software on your computer,
you can use it and test it for 1 entire month.

Download Now