List of Default Filters
This topic provides the Verify Privilege Manager filters catalog for all out-of-the-box filters that are baked into Verify Privilege Manager and can be used to make your policy configuration process easy.
Win32 Executable Filters
| Filter | Description |
|---|---|
| Add Hardware Utility (hdwwwiz.exe) | Filter used to identify the Device Pairing Wizard that appears when you click Add Device in Windows Vista and Windows 7 |
| AOL Instant Messenger | Filter used to detect AOL Messenger |
| AppCmd for App Pool Recycling (appcmd.exe) | Filter used to identify the AppCmd executable |
| Backup and Restore Utility (sdcit.exe) | Filter used to identify the Windows Backup and Restore utility |
| Chrome | Filter used to detect Google Chrome web browsers |
| COM Elevation Host Utility (COMElevateHost.exe) | Filter to detect the COMElevateHost. This is used to detect when COM components are being elevated, such as the Network Adapter Properties |
| Command Processor (cmd.exe) | Filter used to identify the Windows command shell processor |
| Control Panel Utility (control.exe) | Filter used to identify the process used to launch Control Panel applets |
| Defragment GUI Utility (dfrgui.exe) | Filter used to identify the disk defragment utility within Windows |
| Device Pairing Wizard | Filter used to identity the Device Pairing Wizard that appears when you click Add Device in Windows Vista and Windows 7 |
| Eudora | Filter used to detect Eudora email client |
| Firefox | Filter used to detect Firefox web browsers |
| Google Talk | Filter used to detect Google Talk |
| IIS Manager Executable Filter (inetmgr.exe) | Filter used to identify the IIS Manager executable |
| IIS Reset Executable Filter (iisreset.exe) | Filter used to identify the IIS Reset executable |
| Internet Explorer | Filter used to detect Internet Explorer web browsers |
| ISCSI Executable Filter (iscsicpl.exe) | Filter used to identify the ISCSI executable |
| iTunes | Filter used to detect iTunes |
| Library Loader Utility (rundlll32.exe) | Filter used to identify the dynamic library loader utility used by Windows to launch various system configuration applets |
| Microsoft Installer File Filter | Filter used to detect the Microsoft Installer. This filter can be used in policies with secondary file filters targeting specific MSI files |
| Microsoft Management Console (mmc.exe) | Filter used to identify the Microsoft Management Console Utility |
| Microsoft Windows Media Player | Filter used to detect Windows Media Player |
| MS Access | Filter used to detect Microsoft Access |
| MS Excel | Filter used to detect Microsoft Excel |
| MS FrontPage | Filter used to detect Microsoft FrontPage |
| MS InfoPath | Filter used to detect Microsoft InfoPath |
| MS Lync | Filter used to detect Microsoft Lync |
| MS OIS | Filter used to identify the Office Picture Manager Image Viewer |
| MS Outlook | Filter used to detect Microsoft Outlook |
| MS Powerpoint | Filter used to detect Microsoft PowerPoint |
| MS PPTVIEW | Filter used to detect Microsoft PowerPoint Viewer |
| MS Publisher | Filter used to detect Microsoft Publisher |
| MS Visio | Filter used to detect Microsoft Visio |
| MS VPreview | Filter used to detect Microsoft VPreview |
| MS Word | Filter used to detect Microsoft Word |
| MSN Messenger | Filter used to detect MSN Messenger |
| NLB executable Filter (nlbmgr.exe) | Filter used to identify the NLB Manager executable |
| OODBC Executable Filter (odbcad32.exe) | Filter used to identify the OODBC executable |
| Opera | Filter used to detect the Opera Browser |
| Outlook Express | Filter used to detect Microsoft Outlook Express |
| Performance Monitor Utility (perfmon.exe) | Filter used to identify the Performance Monitor launcher stub utility within Windows |
| Powershell (powershell.exe) | Filter used to identify the Windows Powershell command processor |
| Printer Control Utility (printui.exe) | Filter used to identify the printer management applet launcher within Windows |
| QuickTime | Filter used to detect QuickTime |
| RealPlayer | Filter used to detect RealPlayer |
| Resource Monitor (resmon.exe) | Filter used to identify the Windows Resource Monitor application |
| Safari | Filter used to detect Apple Safari on Windows |
| Scripting Host (cscript.exe) | Filter used to identify the Windows Scripting Host command-line utility |
| Scripting Host (wscript.exe) | Filter used to identify the Windows Scripting Host commandline utility |
| Setup Display Languages Utility (lpksetup.exe) | Filter used to identify the Install/Uninstall of Display Languages setup utility for Windows |
| ShareX | This filter targets the ShareX application |
| Skype | Filter used to detect Skype |
| Trillian | Filter used to detect the Trillian application |
| User's Temp Directory Win32 Executable Filter | Filter used to target any executable (exe) in a user's temp directory |
| Win32 Executables Discovered in the Last Week | This filter is limited to applications discovered on the endpoint within the last week |
| Winamp | Filter used to detect Winamp application |
| Windows Firewall (netsh.exe) | Filter used to identify the Windows Firewall netsh.exe |
| Windows Messenger | Filter used to detect Windows Messenger |
| Yahoo! Messenger | Filter used to detect Yahoo Messenger |
Commandline Filters
| Filter | Description |
|---|---|
| Add Printer Commandline Arguments | Filter used to identify the Add Printer UI applet |
| Azman.msc Commandline Filter for MMC Snap-in | Filter used to detect Windows Authorization Manager |
| Backup and Restore Commandline Arguments | Filter used to identify the Backup and Restore component, used as a commandline argument to a process |
| Certmgr.msc Commandline Filter for MMC Snap-in | Filter used to detect Windows Certificate Manager |
| Ciadv.msc Commandline Filter for MMC Snap-in | Filter used to detect Indexing Service Management |
| Compmgmt.msc Commandline Filter for MMC Snap-in | Filter used to detect Windows Computer Management |
| Defragment Component (dfrg.msc) | Filter used to detect the MMC Snap-in used to defragment disks in Windows XP |
| Devmgmt.msc Commandline Filter for MMC Snap-in | Filter used to detect Device Manager |
| Dhcpmgmt.msc Commandline Filter for MMC Snap-in | Filter used to detect DHCP Management |
| Diskmgmt.msc Commandline Filter for MMC Snap-in | Filter used to detect Disk Management |
| Dnsmgmt.msc Commandline Filter for MMC Snap-in | Filter used to detect DNS Management |
| Eventvwr.msc Commandline Filter for MMC Snap-in | Filter used to detect Event Viewer |
| Fsmgmt.msc Commandline Filter for MMC Snap-in | Filter used to detect Shared Folders Management |
| Fsrm.msc Commandline Filter for MMC Snap-in | Filter used to detect File Resource Manager |
| Gpedit.msc Commandline Filter for MMC Snap-in | Filter used to detect Group Policy Editor |
| Hardware Wizard Applet | Filter used to identify a commandline argument referring to the Control Panel applet used to add new hardware |
| Lusrmgr.msc Commandline Filter for MMC Snap-in | Filter used to detect Local User and Group Management |
| Napclfcfg.msc Commandline Filter for MMC Snap-in | Filter used to detect NAP Client Configuration |
| Network Adapter Elevate Attempt | Filter used to detect when a user right-clicks on a network adapter and selects Properties |
| Ntmsmgr.msc Commandline Filter for MMC Snap-in | Filter used to detect Removable Storage Manager |
| Performance Monitor Component (perfmon.msc) | Filter used to detect Performance Monitor |
| Printmanagement.msc Commandline Filter for MMC Snap-in | Filter used to detect Print Management |
| Recycle App Pool Commandline | Filter used to identify the recycle command for application pools |
| Rsop.msc Commandline Filter for MMC Snap-in | Filter used to detect Resultant Set of Policy |
| Secpol.msc Commandline Filter for MMC Snap-in | Filter used to detect Local Security Settings Manager |
| Services.msc Commandline Filter for MMC Snap-in | Filter used to detect Services Manager |
| Sqlservermanager12.msc Commandline Filter for MMC Snap-in | Filter used to detect SQL Server Manager |
| System Control Panel Applet | Filter used to identify a commandline argument referring to the Control Panel applet used to change the system time and date settings |
| Tpm.msc Commandline Filter for MMC Snap-in | Filter used to detect Trusted Platform Module Management |
| Wbadmin.msc Commandline Filter for MMC Snap-in | Filter used to detect Windows Server Backup |
| Wf.msc Commandline Filter for MMC Snap-in | Filter used to detect Windows Firewall Management |
| Wmimgmt.msc Commandline Filter for MMC Snap-in | Filter used to detect WMI Management |
Environment Filters
| Filter | Description |
|---|---|
| Manual Application Compatibility Setting | Detects whether an application is being run with manual override options |
| User Access Control Consent Dialog Detected | This filter will match when an application that requires User Access Control consent is launched |
| User Requested Run As Administrator | Detects whether a user has right-clicked on an application and used IBM Security's custom ‘Request Run as Administrator' option |
Network Location Filters
| Filter | Description |
|---|---|
| Disconnected from Network | Filter used to detect when the computer is not attached to a network |
| Domain Network Location Filter | Filter used to detect when the computer is attached to a network classified as domain |
| Private Network Location Filter | Filter used to detect when the computer is attached to a network classified as private |
| Public Network Location Filter | Filter used to detect when the computer is attached to a network classified as public |
Parent Process Filters
| Filter | Description |
|---|---|
| Thycotic Copy/Installer Helper Parent Process Filter | Filter used to detect when a user attempts to copy a file using the Verify Privilege Manager copy helper |
Secondary File Filters
| Filter | Description |
|---|---|
| Target MSI and Scripts executed from the User's Temp Directory | Filter used to target MSI and Scripts executed from the User's Temp Directory |
Security Rating Filters
| Filter | Description |
|---|---|
| VirusTotal | This filter will target VirusTotal for Reputation Checking |
| VirusTotal-Bad Rating | This filter will target VirusTotal for Reputation Checking |
| VirusTotal-Clean Rating | This filter will target VirusTotal for Reputation Checking |
| VirusTotal-Suspect Rating | This filter will target VirusTotal for Reputation Checking |
VirusTotal Filters based on configuring VirusTotal integration in Verify Privilege Manager. For steps to do this, see our VirusTotal Integration Guide here
Time of Day Filters
| Filter | Description |
|---|---|
| Business Hours (8:30AM to 5:30PM) | This filter is limited to 8AM to 6PM weekdays |
| Business Hours (8AM to 6PM) | This filter is limited to 8AM to 6PM weekdays |
| Business Hours (9AM to 5PM) | This filter is limited to 9AM to 5PM weekdays |
| Weekends | This filter is limited to weekends |
User Context Filters
| Filter | Description |
|---|---|
| Administrators | Detects when an application is running with elevated (administrator) permissions |
| Administrators (Include Disabled) | Detects when an application has an administrator user token |
File Filters
Application Compatibility File Filters
| Filter | Description |
|---|---|
| Administrative Rights Required Application Compatibility Filter | This filter tests whether Windows has detected that this executable requires administrative rights |
| Generic Installer Detection Filter | This filter indicates that Windows has detected that an executable is an Application Setup |
| Highest Available Application Compatibility Filter | This filter tests whether Windows has detected that this executable required highest available rights |
| Specific Installer Detection Filter | This filter indicates that Windows has detected that an executable is an Application Setup |
| Specific Non Installer Detection Filter | This filter indicates that an executable has been flagged as not being an Application Setup |
Manifest Filters
| Filter | Description |
|---|---|
| Require Administrator Rights Manifest Filter | This filter tests whether an executable is marked as requiring Administrative rights |
| Require Highest Available Rights Manifest Filter | This filter tests whether an executable is marked as requiring highest available rights |
| Manifest Present Filter | This filter tests whether an executable has a security manifest |
File Owner Filters
| Filter | Description |
|---|---|
| System (Wheel) File Owner | Files that are owned by the Wheel Group (Unix) |
| System File Owner Filter | Filter used to detect files owned by the System account |
| Trusted Installer File Owner Filter | Filter used to detect files owned by the Trusted File Owner account |
File Specification Filters
| Filter | Description |
|---|---|
| Any Package (macOS) | Target .pkg and .mpkg files |
| App Store Preference Pane (macOS) | Filter used to detect App Store Preference Pane in macOS |
| Common Executable Folders | Filter used to detect files in common executable directories, such as C:\Windows, C:\Program Files, and C:\Program Files(x86) |
| Date and Time Preference Pane (macOS) | Date and Time Preference Pane (macOS) |
| Default App Bundles File Specification Filter | The default filter for discovering app bundles on macOS |
| Default File Specification (All executable types) | Specifies all executable file types in Windows and Program files |
| Default File Specification (macOS) | The default filter for discovering executable files on macOS |
| Default File Specification (Windows) | This specifies executables in Windows and Program files |
| Documents and Settings | Filter used to detect files in the Downloaded Program Files directory |
| Drivers | Filter used to detect files in the C:\Windows\System32\drivers directory |
| Energy Saver Preference Pane (macOS) | Filter used to detect the Energy Saver Preference Pane in macOS |
| Executables in Windows Directories | This specifies executables in Windows directories |
| Executables in Windows Directories (All executable types) | Specifies all executable file types in Windows directories that are not present in a signed security catalog |
| macOS/Users/File Specification | The default filter for files in the /Users/directory on macOS |
| Network Drive Filter | Specifies files present on network file systems |
| Optical Drive Filter (CD/DVD) | Specifies files present on optical drives (CD/DVD) |
| Parental Controls Preference Pane (macOS) | Filter used to detect the Parental Controls Preference Pane in macOS |
| Printers and Scanners Preference Pane (macOS) | Filter used to detect the Printers and Scanners Preference Pane in macOS |
| Program Data | Filter used to detect files in the C:\ProgramData\ directory |
| Program Files | Filter used to detect files in the C:\Program Files\ directory |
| Program Files (x64 on Win32) | Filter used to detect files in the C:\Program Files\ directory |
| Program Files (x86) | Filter used to detect files in the C:\Program Files(x86)\ directory |
| Removable Drive Filter | Filters files present on removable drives such as Floppy Drives and USB devices |
| Security and Privacy Preference Pane (macOS) | Filter used to detect Security and Privacy Preference Pane in macOS |
| Sharing Preference Pane (macOS) | Filter used to detect the Sharing Preference Pane in macOS |
| System Catalog Folder | Filter used to detect files in the CatRoot directory |
| System Preferences (macOS) | Filter used to detect the System Preferences Preference Pane in macOS |
| Temporary ASP.NET 1.0 Files | Filter used to detect files in the .NET 1 Temp directory |
| Temporary ASP.NET 1.1 Files | Filter used to detect files in the .NET 1.1 Temp directory |
| Temporary ASP.NET 2.0 Files | Filter used to detect files in the .NET 2 Temp directory |
| Temporary Files | Filter used to detect files in the C:\Windows\Temp directory |
| Thycotic Copy/Installer Helper Application | Filter used to detect usage of the Verify Privilege Manager copy helper |
| Time Machine Preference Pane (macOS) | Filter used to detect the Time Machine Preference Pane in macOS |
| Uncommon Executables Folders | Filter used to detect files in the Uncommon directories |
| Users and Groups Preference Pane (macOS) | Filter used to detect the Users and Groups Preference Pane in macOS |
| User's Directory Collection File Specification Filter | Used to target any file in the user's temp directory |
| User's Downloads Directory File Specification Filter | Used to target any file in the user's temp directory |
| User's Temp Directory File Specification Filter | Used to target any file in the user's temp directory |
| Windows Directory | Filter used to detect files in the C:\Windows directory |
| Windows Directory (Include Subdirectories) | Filter used to detect files in the C:\Windows\ directory |
| Windows Dll Cache | Filter used to detect files in the C:\Windows\System32\dllcache directory |
| Windows Side By Side | Filter used to detect files in the C:\Windows\WinSxS\ directory |
| Windows Software Distribution | Filter used to detect files in the Windows Software Distribution directory |
| Windows\System32 | Filter used to detect files in the C:\Windows\System32 directory |
| Windows\System32 (Include Subdirectories) | Filter used to detect files in the C:\Windows\System32\ directory |
| Windows\SysWOW64 | Filter used to detect files in the SysWOW64 directory |
| Windows\SysWOW64 (Include Subdirectories) | Filter used to detect files in the SysWOW64\ directory |
Security Catalog Filters
| Filter | Description |
|---|---|
| Present in Signed Security Catalog | Filter used to detect Operating System Files and other trusted files dynamically on each system by using that machine's Signed Security Catalog. This filter does not need to be modified on the server |
Miscellaneous Filters
App Bundle Filters
| Filter | Description |
|---|---|
| All Application Bundles Filter (macOS) | Filter used to detect All Applications Bundles |
Coff Header Filters
| Filter | Description |
|---|---|
| 32-bit Executables | Filter used to detect files with the 32-bit executable machine type header set |
| All Executable Types | This filter includes all executable types |
| Commandline Executables | Filter used to detect files with the Windows console subsystem header set |
| GUI Executables | Filter used to detect files with the GUI header set |
| Native Executables | Filter used to detect files with the executable header set |
| Windows CE Executables | Filter used to detect files with the Windows CE Subtype header set |
| Program File Executables | Filter used to detect files with the executable or DLL header set |
| Posix Executables | Filter used to detect files with the POSIX header set |
| X64 Executables | Filter used to detect files with x64 machine type header set |
File Parameter Collections
| Filter | Description |
|---|---|
| All Deny List Security Rated Applications | This collection contains all applications that have been denylisted by applying a security rating |
| All Executables Discovered in Last 2 Weeks | Filter used to detect files that have been discovered by the server in the past 2 weeks |
| All Executables Discovered in Last Day | Filter used to detect files that have been discovered by the server in the past day |
| All Executables Discovered in Last Week | Filter used to detect files that have been discovered by the server in the past week |
| All Executables Discovered in Last Month | Filter used to detect files that have been discovered by the server in the past month |
| All Greylist Security Rated Applications | This collection contains all applications that are being monitored. |
| All Unclassified Applications |
This collection contains all applications that have not been classified by a security rating.
This filter has been removed from version 11.5.0, but remains available to customers who have this filter implemeted on an existing policy prior to version 11.5.0.
|
| All Allow Listed Security Rated Applications | This collection contains all applications that have been allowed by applying a security rating |
Mach-O Header Filters
| Filter | Description |
|---|---|
| macOS DyLib | Identifies dynamic library (dylip) files according to their embedded Mach-O header (not specifically according to file name) |
| macOS Executables | Identifies files marked as executables according to their Mach-O header (not file mode changes via chmod) |