Under review

Add more details to create rules on for CAM

Daniel Wallach 1 year ago updated by Caitlin M Barnes (Product Manager) 1 year ago 1

I would like to have CAM bring in more details to create rules on, specifically fields like product version and product name. This way we could whitelist in this example publisher=Microsoft, product name=PowerToys*, version > 0.69.1 and it would be safely scoped to only Microsoft powertoys with version greater than 0.69. Currently with the options we have available the closest I can do is to whitelist all Microsoft products with filename of PowerToys* which a clever user could rename any Microsoft application and install. More granularity in the fields to create rules on would help.

Under review

Hi Daniel, 

Thanks for the suggestion! We pull the product name from the signature, just like UAC, so maybe Microsoft isn't signing powertoys totally correctly. We can potentially gather more information from the file itself (maybe FileProductName, FileProductVersion or something), we'll look into it.