Denylist and Allowlist
The Applications, Automations, Uninstaller, Control panel and DLLs sub-module records can be separated by denylist and allowlist lists. They also allow segregation using global levels, workstations, credentials, and access groups.
Maybe the administrator would not like to allow applications like Microsoft Powershell or Windows Command Line (CMD) to be used by users. He can then create a global denylist rule. But sometimes, he may want only a few users to have access to these applications to make an access rule based on access groups.
Create rule
The registered rules can be accessed in the menu Go ➔ Settings ➔ Access lists. To write a configuration, follow the steps:
Access the reporting action at the desired segregation level:
Type Description New global segregation New global segregation valid for all users; New workstation segregation New workstation-based segregation; New segregation for credential New global segregation based on credential. It will apply to all users with access to the credential; New segregation for groups New global segregation based on credential access group. It will apply to all users who use a credential through the specific access group; You will be presented with a screen to select the segregation entity, as follows:
Type Description Name Name of the segregation. Use a name that makes clear the purpose of this configuration; Action Choose between the Allowlist and Denylist options; Status Keep Active for the rule to be applied; Record the session of these applications Indicates if a video recording all the application's execution event should be recorded and forwarded to senhasegura; Applications: Are the applications that should be filtered. It is possible to apply filters by different characteristics of the application: Certificate If the certificate the application has is valid, if it is valid it will be checked against the rule (whether it is allowed or denied), and if there is no certificate it will not be checked; COM class ID It is information that all applications have, it is in GUID format; Directory This is the application path, to be checked against the rule, the registered path must be completely the same as the file; File hash This is a unique piece of information that each file has, a new hash is generated for every change made to the file; File version: This is the file version; Internet Zone Identifier This information refers to the origin of the file, when it is downloaded from the internet, it will be as Internet Zone, usually all files that were downloaded are classified like this, whereas the executables that are installed, by example, it has this information as Local Zone; Product Name This is the name of the program, it evaluates to both the file name and the program name; Product Version This is the product version; source URL contains information you have in video files; Update Code This information is also a GUID of each program, and can be found in the Windows registry; Vendor name This is the name of the manufacturer; Windows store publisher This one is boolean, and it's about applications that were downloaded from the Microsoft Store, it's validated against the file directory, which is in ProgramFiles (and x86 too), and in a folder hidden that calls WindowsApps;
If an application is executed outside of senhasegura.go, it will be blocked if it is on the denylist. But if it is not even in the allowlist and denylist, it will be executed normally.
The administrator can fill segregation rule values with regular expressions.
The rules will apply both for applications started by the client senhasegura.go and applications created outside senhasegura.go.
Users automatically start to admit these rules.
The application will add the rules. For example, if a user has an allowlist application and a denylist credential for the same application, the application will be shown as available. But if he tries to execute using the denied credential, he will be blocked and notified.
Trusted Directory
It is possible to create trusted directories that will assure that any file into the allowed path will be able to be executed even if it is untrusted. To add new trusted directories go to General Settings and set a path.