List of Default Filters

This topic provides the Verify Privilege Manager filters catalog for all out-of-the-box filters that are baked into Verify Privilege Manager and can be used to make your policy configuration process easy.

Win32 Executable Filters

Filter Description
Add Hardware Utility (hdwwwiz.exe) Filter used to identify the Device Pairing Wizard that appears when you click Add Device in Windows Vista and Windows 7
AOL Instant Messenger Filter used to detect AOL Messenger
AppCmd for App Pool Recycling (appcmd.exe) Filter used to identify the AppCmd executable
Backup and Restore Utility (sdcit.exe) Filter used to identify the Windows Backup and Restore utility
Chrome Filter used to detect Google Chrome web browsers
COM Elevation Host Utility (COMElevateHost.exe) Filter to detect the COMElevateHost. This is used to detect when COM components are being elevated, such as the Network Adapter Properties
Command Processor (cmd.exe) Filter used to identify the Windows command shell processor
Control Panel Utility (control.exe) Filter used to identify the process used to launch Control Panel applets
Defragment GUI Utility (dfrgui.exe) Filter used to identify the disk defragment utility within Windows
Device Pairing Wizard Filter used to identity the Device Pairing Wizard that appears when you click Add Device in Windows Vista and Windows 7
Eudora Filter used to detect Eudora email client
Firefox Filter used to detect Firefox web browsers
Google Talk Filter used to detect Google Talk
IIS Manager Executable Filter (inetmgr.exe) Filter used to identify the IIS Manager executable
IIS Reset Executable Filter (iisreset.exe) Filter used to identify the IIS Reset executable
Internet Explorer Filter used to detect Internet Explorer web browsers
ISCSI Executable Filter (iscsicpl.exe) Filter used to identify the ISCSI executable
iTunes Filter used to detect iTunes
Library Loader Utility (rundlll32.exe) Filter used to identify the dynamic library loader utility used by Windows to launch various system configuration applets
Microsoft Installer File Filter Filter used to detect the Microsoft Installer. This filter can be used in policies with secondary file filters targeting specific MSI files
Microsoft Management Console (mmc.exe) Filter used to identify the Microsoft Management Console Utility
Microsoft Windows Media Player Filter used to detect Windows Media Player
MS Access Filter used to detect Microsoft Access
MS Excel Filter used to detect Microsoft Excel
MS FrontPage Filter used to detect Microsoft FrontPage
MS InfoPath Filter used to detect Microsoft InfoPath
MS Lync Filter used to detect Microsoft Lync
MS OIS Filter used to identify the Office Picture Manager Image Viewer
MS Outlook Filter used to detect Microsoft Outlook
MS Powerpoint Filter used to detect Microsoft PowerPoint
MS PPTVIEW Filter used to detect Microsoft PowerPoint Viewer
MS Publisher Filter used to detect Microsoft Publisher
MS Visio Filter used to detect Microsoft Visio
MS VPreview Filter used to detect Microsoft VPreview
MS Word Filter used to detect Microsoft Word
MSN Messenger Filter used to detect MSN Messenger
NLB executable Filter (nlbmgr.exe) Filter used to identify the NLB Manager executable
OODBC Executable Filter (odbcad32.exe) Filter used to identify the OODBC executable
Opera Filter used to detect the Opera Browser
Outlook Express Filter used to detect Microsoft Outlook Express
Performance Monitor Utility (perfmon.exe) Filter used to identify the Performance Monitor launcher stub utility within Windows
Powershell (powershell.exe) Filter used to identify the Windows Powershell command processor
Printer Control Utility (printui.exe) Filter used to identify the printer management applet launcher within Windows
QuickTime Filter used to detect QuickTime
RealPlayer Filter used to detect RealPlayer
Resource Monitor (resmon.exe) Filter used to identify the Windows Resource Monitor application
Safari Filter used to detect Apple Safari on Windows
Scripting Host (cscript.exe) Filter used to identify the Windows Scripting Host command-line utility
Scripting Host (wscript.exe) Filter used to identify the Windows Scripting Host commandline utility
Setup Display Languages Utility (lpksetup.exe) Filter used to identify the Install/Uninstall of Display Languages setup utility for Windows
ShareX This filter targets the ShareX application
Skype Filter used to detect Skype
Trillian Filter used to detect the Trillian application
User's Temp Directory Win32 Executable Filter Filter used to target any executable (exe) in a user's temp directory
Win32 Executables Discovered in the Last Week This filter is limited to applications discovered on the endpoint within the last week
Winamp Filter used to detect Winamp application
Windows Firewall (netsh.exe) Filter used to identify the Windows Firewall netsh.exe
Windows Messenger Filter used to detect Windows Messenger
Yahoo! Messenger Filter used to detect Yahoo Messenger

Commandline Filters

 
Filter Description
Add Printer Commandline ArgumentsFilter used to identify the Add Printer UI applet
Azman.msc Commandline Filter for MMC Snap-inFilter used to detect Windows Authorization Manager
Backup and Restore Commandline ArgumentsFilter used to identify the Backup and Restore component, used as a commandline argument to a process
Certmgr.msc Commandline Filter for MMC Snap-inFilter used to detect Windows Certificate Manager
Ciadv.msc Commandline Filter for MMC Snap-inFilter used to detect Indexing Service Management
Compmgmt.msc Commandline Filter for MMC Snap-inFilter used to detect Windows Computer Management
Defragment Component (dfrg.msc)Filter used to detect the MMC Snap-in used to defragment disks in Windows XP
Devmgmt.msc Commandline Filter for MMC Snap-inFilter used to detect Device Manager
Dhcpmgmt.msc Commandline Filter for MMC Snap-inFilter used to detect DHCP Management
Diskmgmt.msc Commandline Filter for MMC Snap-inFilter used to detect Disk Management
Dnsmgmt.msc Commandline Filter for MMC Snap-inFilter used to detect DNS Management
Eventvwr.msc Commandline Filter for MMC Snap-inFilter used to detect Event Viewer
Fsmgmt.msc Commandline Filter for MMC Snap-inFilter used to detect Shared Folders Management
Fsrm.msc Commandline Filter for MMC Snap-inFilter used to detect File Resource Manager
Gpedit.msc Commandline Filter for MMC Snap-inFilter used to detect Group Policy Editor
Hardware Wizard AppletFilter used to identify a commandline argument referring to the Control Panel applet used to add new hardware
Lusrmgr.msc Commandline Filter for MMC Snap-inFilter used to detect Local User and Group Management
Napclfcfg.msc Commandline Filter for MMC Snap-inFilter used to detect NAP Client Configuration
Network Adapter Elevate AttemptFilter used to detect when a user right-clicks on a network adapter and selects Properties
Ntmsmgr.msc Commandline Filter for MMC Snap-inFilter used to detect Removable Storage Manager
Performance Monitor Component (perfmon.msc)Filter used to detect Performance Monitor
Printmanagement.msc Commandline Filter for MMC Snap-inFilter used to detect Print Management
Recycle App Pool CommandlineFilter used to identify the recycle command for application pools
Rsop.msc Commandline Filter for MMC Snap-inFilter used to detect Resultant Set of Policy
Secpol.msc Commandline Filter for MMC Snap-inFilter used to detect Local Security Settings Manager
Services.msc Commandline Filter for MMC Snap-inFilter used to detect Services Manager
Sqlservermanager12.msc Commandline Filter for MMC Snap-inFilter used to detect SQL Server Manager
System Control Panel AppletFilter used to identify a commandline argument referring to the Control Panel applet used to change the system time and date settings
Tpm.msc Commandline Filter for MMC Snap-inFilter used to detect Trusted Platform Module Management
Wbadmin.msc Commandline Filter for MMC Snap-inFilter used to detect Windows Server Backup
Wf.msc Commandline Filter for MMC Snap-inFilter used to detect Windows Firewall Management
Wmimgmt.msc Commandline Filter for MMC Snap-inFilter used to detect WMI Management

Environment Filters

Filter Description
Manual Application Compatibility Setting Detects whether an application is being run with manual override options
User Access Control Consent Dialog Detected This filter will match when an application that requires User Access Control consent is launched
User Requested Run As Administrator Detects whether a user has right-clicked on an application and used IBM Security's custom ‘Request Run as Administrator' option

Network Location Filters

Filter Description
Disconnected from Network Filter used to detect when the computer is not attached to a network
Domain Network Location Filter Filter used to detect when the computer is attached to a network classified as domain
Private Network Location Filter Filter used to detect when the computer is attached to a network classified as private
Public Network Location Filter Filter used to detect when the computer is attached to a network classified as public

Parent Process Filters

Filter Description
Thycotic Copy/Installer Helper Parent Process Filter Filter used to detect when a user attempts to copy a file using the Verify Privilege Manager copy helper

Secondary File Filters

Filter Description
Target MSI and Scripts executed from the User's Temp Directory Filter used to target MSI and Scripts executed from the User's Temp Directory

Security Rating Filters

Filter Description
VirusTotal This filter will target VirusTotal for Reputation Checking
VirusTotal-Bad Rating This filter will target VirusTotal for Reputation Checking
VirusTotal-Clean Rating This filter will target VirusTotal for Reputation Checking
VirusTotal-Suspect Rating This filter will target VirusTotal for Reputation Checking

VirusTotal Filters based on configuring VirusTotal integration in Verify Privilege Manager. For steps to do this, see our VirusTotal Integration Guide here

Time of Day Filters

Filter Description
Business Hours (8:30AM to 5:30PM) This filter is limited to 8AM to 6PM weekdays
Business Hours (8AM to 6PM) This filter is limited to 8AM to 6PM weekdays
Business Hours (9AM to 5PM) This filter is limited to 9AM to 5PM weekdays
Weekends This filter is limited to weekends

User Context Filters

Filter Description
Administrators Detects when an application is running with elevated (administrator) permissions
Administrators (Include Disabled) Detects when an application has an administrator user token

File Filters

Application Compatibility File Filters

Filter Description
Administrative Rights Required Application Compatibility Filter This filter tests whether Windows has detected that this executable requires administrative rights
Generic Installer Detection Filter This filter indicates that Windows has detected that an executable is an Application Setup
Highest Available Application Compatibility Filter This filter tests whether Windows has detected that this executable required highest available rights
Specific Installer Detection Filter This filter indicates that Windows has detected that an executable is an Application Setup
Specific Non Installer Detection Filter This filter indicates that an executable has been flagged as not being an Application Setup

Manifest Filters

Filter Description
Require Administrator Rights Manifest Filter This filter tests whether an executable is marked as requiring Administrative rights
Require Highest Available Rights Manifest Filter This filter tests whether an executable is marked as requiring highest available rights
Manifest Present Filter This filter tests whether an executable has a security manifest

File Owner Filters

Filter Description
System (Wheel) File Owner Files that are owned by the Wheel Group (Unix)
System File Owner Filter Filter used to detect files owned by the System account
Trusted Installer File Owner Filter Filter used to detect files owned by the Trusted File Owner account

File Specification Filters

Filter Description
Any Package (macOS) Target .pkg and .mpkg files
App Store Preference Pane (macOS) Filter used to detect App Store Preference Pane in macOS
Common Executable Folders Filter used to detect files in common executable directories, such as C:\Windows, C:\Program Files, and C:\Program Files(x86)
Date and Time Preference Pane (macOS) Date and Time Preference Pane (macOS)
Default App Bundles File Specification Filter The default filter for discovering app bundles on macOS
Default File Specification (All executable types) Specifies all executable file types in Windows and Program files
Default File Specification (macOS) The default filter for discovering executable files on macOS
Default File Specification (Windows) This specifies executables in Windows and Program files
Documents and Settings Filter used to detect files in the Downloaded Program Files directory
Drivers Filter used to detect files in the C:\Windows\System32\drivers directory
Energy Saver Preference Pane (macOS) Filter used to detect the Energy Saver Preference Pane in macOS
Executables in Windows Directories This specifies executables in Windows directories
Executables in Windows Directories (All executable types) Specifies all executable file types in Windows directories that are not present in a signed security catalog
macOS/Users/File Specification The default filter for files in the /Users/directory on macOS
Network Drive Filter Specifies files present on network file systems
Optical Drive Filter (CD/DVD) Specifies files present on optical drives (CD/DVD)
Parental Controls Preference Pane (macOS) Filter used to detect the Parental Controls Preference Pane in macOS
Printers and Scanners Preference Pane (macOS) Filter used to detect the Printers and Scanners Preference Pane in macOS
Program Data Filter used to detect files in the C:\ProgramData\ directory
Program Files Filter used to detect files in the C:\Program Files\ directory
Program Files (x64 on Win32) Filter used to detect files in the C:\Program Files\ directory
Program Files (x86) Filter used to detect files in the C:\Program Files(x86)\ directory
Removable Drive Filter Filters files present on removable drives such as Floppy Drives and USB devices
Security and Privacy Preference Pane (macOS) Filter used to detect Security and Privacy Preference Pane in macOS
Sharing Preference Pane (macOS) Filter used to detect the Sharing Preference Pane in macOS
System Catalog Folder Filter used to detect files in the CatRoot directory
System Preferences (macOS) Filter used to detect the System Preferences Preference Pane in macOS
Temporary ASP.NET 1.0 Files Filter used to detect files in the .NET 1 Temp directory
Temporary ASP.NET 1.1 Files Filter used to detect files in the .NET 1.1 Temp directory
Temporary ASP.NET 2.0 Files Filter used to detect files in the .NET 2 Temp directory
Temporary Files Filter used to detect files in the C:\Windows\Temp directory
Thycotic Copy/Installer Helper Application Filter used to detect usage of the Verify Privilege Manager copy helper
Time Machine Preference Pane (macOS) Filter used to detect the Time Machine Preference Pane in macOS
Uncommon Executables Folders Filter used to detect files in the Uncommon directories
Users and Groups Preference Pane (macOS) Filter used to detect the Users and Groups Preference Pane in macOS
User's Directory Collection File Specification Filter Used to target any file in the user's temp directory
User's Downloads Directory File Specification Filter Used to target any file in the user's temp directory
User's Temp Directory File Specification Filter Used to target any file in the user's temp directory
Windows Directory Filter used to detect files in the C:\Windows directory
Windows Directory (Include Subdirectories) Filter used to detect files in the C:\Windows\ directory
Windows Dll Cache Filter used to detect files in the C:\Windows\System32\dllcache directory
Windows Side By Side Filter used to detect files in the C:\Windows\WinSxS\ directory
Windows Software Distribution Filter used to detect files in the Windows Software Distribution directory
Windows\System32 Filter used to detect files in the C:\Windows\System32 directory
Windows\System32 (Include Subdirectories) Filter used to detect files in the C:\Windows\System32\ directory
Windows\SysWOW64 Filter used to detect files in the SysWOW64 directory
Windows\SysWOW64 (Include Subdirectories) Filter used to detect files in the SysWOW64\ directory

Security Catalog Filters

Filter Description
Present in Signed Security Catalog Filter used to detect Operating System Files and other trusted files dynamically on each system by using that machine's Signed Security Catalog. This filter does not need to be modified on the server

Miscellaneous Filters

App Bundle Filters

Filter Description
All Application Bundles Filter (macOS) Filter used to detect All Applications Bundles

Coff Header Filters

Filter Description
32-bit Executables Filter used to detect files with the 32-bit executable machine type header set
All Executable Types This filter includes all executable types
Commandline Executables Filter used to detect files with the Windows console subsystem header set
GUI Executables Filter used to detect files with the GUI header set
Native Executables Filter used to detect files with the executable header set
Windows CE Executables Filter used to detect files with the Windows CE Subtype header set
Program File Executables Filter used to detect files with the executable or DLL header set
Posix Executables Filter used to detect files with the POSIX header set
X64 Executables Filter used to detect files with x64 machine type header set

File Parameter Collections

Filter Description
All Deny List Security Rated Applications This collection contains all applications that have been denylisted by applying a security rating
All Executables Discovered in Last 2 Weeks Filter used to detect files that have been discovered by the server in the past 2 weeks
All Executables Discovered in Last Day Filter used to detect files that have been discovered by the server in the past day
All Executables Discovered in Last Week Filter used to detect files that have been discovered by the server in the past week
All Executables Discovered in Last Month Filter used to detect files that have been discovered by the server in the past month
All Greylist Security Rated Applications This collection contains all applications that are being monitored.
All Unclassified Applications

This collection contains all applications that have not been classified by a security rating.

This filter has been removed from version 11.5.0, but remains available to customers who have this filter implemeted on an existing policy prior to version 11.5.0.

All Allow Listed Security Rated Applications This collection contains all applications that have been allowed by applying a security rating

Mach-O Header Filters

Filter Description
macOS DyLib Identifies dynamic library (dylip) files according to their embedded Mach-O header (not specifically according to file name)
macOS Executables Identifies files marked as executables according to their Mach-O header (not file mode changes via chmod)