Advanced Rules: File & Publisher Certificate Identification Criteria

When Rules are created as part of a "Real-Time" Privilege Request (from either the "AutoElevate Notify" mobile app or from the Admin Portal) the identification criteria used is always the file's MD5 hash. Advanced Rules can be developed by selecting additional File and Publisher Certificate Identification Criteria when editing an already existing 'MD5' rule, or when creating a new rule from an Event. 

• Edit an Existing Rule from the "Rules" screen (in the Admin Portal - https://msp.autoelevate.com) by clicking the "Edit" (pencil icon) next to the Rule.
• Create a New Rule from the “Events” screen (in the Admin Portal - https://msp.autoelevate.com) by checking the box next to an Event and then selecting “Convert to Rule” from the “Actions” menu.

Using File and Publisher Certificate Identification Criteria Combinations

Advanced Rules can be setup to match as many combinations of the File and/or Publisher Certificate identification criteria as you desire by selecting the checkboxes next to the elements from the Event that you would like the Rule to 'match'. If a match is found when a UAC Event takes place, the AutoElevate Agent then carries out the defined action of either Approved, Denied, or Ignored. For the Rule to be applied to an event it must match ALL of the selected identification criteria. 

File Identification Criteria

File Identification Criteria can be selected in any combination of 5 options: Product Name, File Path, File Name, Original File Name, MD5 Hash. The default values of these criteria are set to what was read from the actual file from the local computer where the original Event happened. Wildcard characters can be used to specify dynamic elements (* ? [a-z]).

• Product Name: A value specified by the software publisher and embedded in the binary of the file itself. It can be blank if the file did not contain version information.
• File Path: The full path of where the file was located on the local machine, including the name of the file itself. When processing the File Path, the agent will expand any Windows environment variables included. Click HERE for more information on Windows env vars.
  • Note: Currently, the agent cannot process env vars that include any local user information (ie. %LOCALAPPDATA%). This will be adjusted in a future update.
• File Name: The file name extracted from the path.
• Original File Name: The name the file was created with. It can be blank if the file did not contain version information.
• MD5 Hash: The MD5 hash of the file.

Publisher Identification Criteria

Publisher Identification Criteria can be set to 1 of 2 different options: Subject Elements or Certificate Hash.

• Subject Elements: These are the different parts of the "Subject" distinguished name found embedded in the publisher certificate. Any combination of elements can be selected, however, it's good to note that each software publisher can potentially use many different certificates. Targeting less subject elements will allow for a wider range of software that will match the identification criteria selected.
• Certificate Hash: This is the "thumbprint" of the certificate used to sign the file. It is very specific to that certificate only. Typically, publisher certificates expire after a year or 2. This means that publishers need to get new certificates, with new thumbprints, frequently. Targeting the certificate hash may mean that you will need to create new Rules to account for these new certificates when they are issued. 

Note: You will see an expandable section of information about the publisher certificate along with the publisher options. This data is generated from the file examined on the local machine that the Event originated from. Whether the file is marked as "Verified" or not, depends on whether the certificate chain on the local machine was verified. Verified certs are where that the certificate and/or it's issuer are in the local certificate authority (CA) on the local machine, as well as whether the "Signing Time" falls between the "Valid From" to "Valid To" time stamps.

Also note, Rules that have been defined are encrypted and stored in a secure area of the registry at each check-in and will continue to work with or without connectivity to the Internet and/or our services.

For anything that doesn't have a rule we default to position of security and allow the UAC to come up.

We also recommend to create a “break the glass” local admin on each system (that perhaps only management has access to the credentials) for rare cases like these.

Troubleshooting:

• Make sure your agents are at v2.4+. Only events that are generated from a machine running version agent v2.4+ will have the ability to define a rule using publisher certificate & file info. Additional information is required to make publisher certificate rules which the previous Agent versions were not capturing. Only Agent versions 2.4+  can interpret and process the identification criteria set on these new Rules.
• If you see agents still stuck on v2.3.8, check that they have at least .NET v4.7 which is required. If the machine does not have version 4.7 the Agent will not install and should remain at the previous version.
• Powershell v3.0+ is also required to process any rules with wildcard characters.
• Only users in the Administrators and Technician (Level 3) roles have the permissions to edit & set the identification criteria on Rules.

Security Notes: Publisher certificate verification has been built into agent v2.4+ to ensure the safety and security of making rules based off of publisher certificate criteria. The AutoElevate rules engine does this verification, in the same manner that most security tools do, using information from the local certificate authority store (CA) on each machine. The local certificate authority stores are updated by Microsoft. Security and mitigation of threats to the local certificate store on each machine is strongly dependent upon users only having standard user privileges.