Pros and cons of different filter properties

In deciding what criteria to use for blocking or allowing applications, you have to consider a number of different aspects. Some criteria ensure a high level of security, but require more administrative effort, while others can be evaluated very quickly, but offer less security. The table summarizes these aspects.

Filter property	Advantages	Disadvantages	Notes
Hash	unique for each file allows you to precisely control which applications are allowed and which are not	high maintenance effort when new files are added (e.g. by updates)	very high security
File path and owner	very fast, because the file content does not have to be checked (high performance)	only secure if the user is not allowed to write to the path	lower security (except, for example, when using a software deployment tool).
Product information and certificate/signature (the same applies to file path and owner)	small number of rules can cover many files and continues to work after updates	possibly more is allowed than intended (for example, programs signed with the same certificate) Please note that the product information is not secure without signature	medium security

Filter property

Advantages

Disadvantages

Notes

Hash

unique for each file

allows you to precisely control which applications are allowed and which are not

high maintenance effort when new files are added (e.g. by updates)

very high security

File path and owner

very fast, because the file content does not have to be checked (high performance)

only secure if the user is not allowed to write to the path

lower security

(except, for example, when using a software deployment tool).

Product information and certificate/signature

(the same applies to file path and owner)

small number of rules can cover many files and continues to work after updates

possibly more is allowed than intended (for example, programs signed with the same certificate)

Please note that the product information is not secure without signature

medium security

We recommend combining the criteria to cover as many aspects as possible.

To achieve a high level of efficiency when evaluating rules, the Finish rule evaluation once the result has been determined setting is enabled by default. This setting ensures that rules for file path and file owner are executed first. Once a rule has been found that allows an application, the other rules are not evaluated at all, because they will no longer influence the final decision on whether the application is allowed or not (that is, the result).

Example: You create two rules. In rule 1 (file properties rule) all files under the path C:\Windows are allowed. In rule 2 (application hash database rule) you include all Windows files. If a user starts C:\Windows\notepad.exe, then rule 1 takes effect and the hash database rule is not even checked. If the setting is disabled, rule 2 will be checked too (including the hashes), in which case this process will take much longer.

If you are only using simple whitelist rules, this works well, because there is no need to check the time-consuming rules when a quick rule takes effect. In contrast, if you are using additional blacklist rules or local learning rules, they still need to be checked after a simple whitelist rule has already taken effect. In this case, all these rules must be evaluated quickly in order to benefit from the faster rule evaluation.

How to set priorities for application rules

You can set a priority for application rules on the Options tab. As soon as a suitable rule has been found, rules with a lower priority are no longer executed. In this way, you can also create whitelist rules in whitelist mode, which have a higher priority than blacklist rules.

Example: A blacklist rule blocks exe files in the Downloads folder. A whitelist rule allows programs that are signed by Microsoft. With the same priority setting, the blacklist rule would take precedence. If you now give the whitelist rule a higher priority, the Microsoft programs can still be executed.