How to use File Rating condition in containment rules

Introduction:

This feature "File Rating" in Comodo-Client-Security helps to filter the applications based on the reputation of file rating.
By this, we can easily sort out applications with a particular action using its rating.

Here, we have three reputation for file rating which we can use as condition for file rating.

The reputation are as follows:

1. Trusted

2. Unrecognized

3. Malicious

In this wiki topic, we have discussed about how a child process can be targeted by a parent process with the rating of the file .

STEP [1] : Go to Endpoint Manager → Configuration Templates → Profiles.

Select your default profile (Ex: Windows - Security Level 1 Profile for ITSM 6.20), clone it and go to Containment section.

STEP [2] : In the Rules tab of the default profile, some rules are already available.

Click "Add Rule".

STEP [3] : A dialog box "Manage Contained Program" appears.

For Action, click the drop-down menu, the actions will be listed. Select any action and click Edit.

The various actions are

• Run restricted.
• Run virtually
• Block
• Ignore

For Example: select "Run virtually" and click "Edit" to configure the rule.

STEP [4] : A dialog box "File Criteria" appears.

STEP [5]: It has various sections:

Type: Click the drop-down menu, the types will be listed. Select the type of the child process.

The various types are:

• Files
• File groups
• Folder
• File hash
• Process hash

Target: Click the drop-down menu, the targets will be displayed. Select the target of the format of the child process.

File Created by applications: This is to add a rule for creating a file by an application.

File started by processes: This is to add a rule for creating a file started by processes.

File Origin: This relates to the origin of the file such as from the Internet, Removable media or Intranet.

File Rating: This tells about the reputation of the file.

For Example: 

Here, we are setting the condition "Run Virtually the unrecognized files triggered by web browsers" to filter the applications that are rated as unrecognized.
The following steps are to be followed to create the above rule.

i) Click Add Rule option available near File Created by applications.

A dialog box "Add Process" appears. Select Type, Reputation, Group and click OK.

ii) Select the File Rating, the ratings will be listed. Select anyone.

The various File Ratings are:

• Trusted
• Unrecognized
• Malicious

iii) Finally, the Condition "Run Virtually the unrecognized files triggered by web browsers" is shown.

STEP [6] : The condition that is selected will be display in a dialog box. click OK.

STEP [7] : This rule will be added to the profile. Drag it to the top of the list and click "Save".

STEP [8] : For the above criteria, we need to download an application from a web browser.

Thus, the logs will be generated.

For Example: The logs for the above criteria is shown.

The application TenClips when downloaded from Firefox is rated as Unrecognized with action Run Virtually.