Configurable Application Blacklist

Configurable Blacklist User Documentation


The Configurable Blacklist is a yaml or json file detailing the programs and scenarios that the filesystem will reject access to. For example, one might want to disallow a custom thumbnailing service from making copies of images before the filesystem purges the key from memory (or from spamming a user's authenticating device with extra requests). A custom blacklist may be loaded via the cofiguration menu.

The blacklist is a list of rules. Each rule has a description and a list of filters. The filters determine when the rule will match. If the rule matches, the file system operation will be rejected. Each rule is matched against when an application asks the filesystem to read bytes from a file.

Rule Format


Example Rule yaml:

explorer_thumbnailer:
   description: Don't let explorer thumbnail (e.g. copy files to unencrypted locations)
   filters:
     process_path: explorer.exe$
     read_sizes: [8, 32768]
     key_cached: false
     os: win

In the above rule we can see that the name is "explorer_thumbnailer" and that we want to block the application with the process path ending in explorer.exe from reading 8 or 32768 bytes when the filesystem does not have the encryption key cached.


Filters

Process Name: "process_name" is a regular expression to match against the name of the process. If the regex matches, the filter will match. 

    ex: process_name: ^System.exe$


Process Path: "process_path" is a regular expression to match against the path to the process on disk. If the regex matches, the filter will match.

    ex: process_path: sihost.exe$

Operating System: "os" is an enum of "win", "mac", and "linux". If the os is of the same family (Windows 10 and all versions of windows, etc., would match "win") then the filter matches.


Read Sizes: "read_sizes" is an array of unsigned integers. Each integer represents a size in bytes that an application will attempt to read from the file. If any integer matches the actual size an application is attempting to read, the filter will match.

    ex: read_sizes: [4096, 16348]


Access Flags: "access_flags" is an integer representing a bitmask of acccess flags that a file has been opened with. If the file was opened with the same flags then the filter will match. The following example represents FILE_GENERIC_WRITE | FILE_GENERIC_READ on windows:

    ex: access_flags: 1180054


Key Cached: "key_cached" is a boolean. "false" will match when the key is not currently cached by the file system. If an application attempts to read a file which does not have its key cached it will trigger a request on the authenticating device. If the key is cached there will be no request on the authenticating device. "true" will match when the key is cached by the file system.

    ex: key_cached: false


File Extension: "file_extension" is a regular expression to match against the extension of the file tha an application is attempting to read. A file extension is defined as the characters following the last "." in the name of the file. If a file has no "." the regular expression will check against an empty string. If the regex matches, the filter will match.

    ex: file_extension:  ^jpg$

Mac Version: "mac_version" is an array of version strings. Each version string has an operator and a major and minor version. The format is "OperatorMajor.Minor", or for example ">=12.2". The possible operators are ">=", ">", "<", "<="< "==", "!=". All version strings must match for the filter to match.

    ex: mac_version: [">=10.15", "<=10.16"]

Windows Version: "win_version" is an array of version strings. Each version string has an operator, major version, minor version, and build version. The format is "OperatorMajor.Minor.Build", or for example ">=10.1.2221". The possible operators are ">=", ">", "<", "<="< "==", "!=". All version strings must match for the filter to match.

    ex: win_version: [">10.1.1234", "!=10.1.5555"]

 

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.