Security administrators are creating an application allowlisting policy for a set of Windows 11 engineering workstations that must run a vendor's CAD suite. The CAD executables are digitally signed by the vendor and updated quarterly. The workstations also contain several directories that engineers can write to. The team wants to minimize both maintenance overhead and the risk of attackers bypassing the allowlist by copying malware into writable folders.
Which AppLocker rule condition should the administrators use for the CAD executables to BEST meet these requirements?
A directory-based path rule that allows C:\Program Files\Vendor\
A publisher (digital-signature) rule
A filename rule that allows app.exe regardless of location
A complete file-path rule (e.g., C:\Program Files\Vendor\app.exe)
Publisher (digital-signature) rules verify the signer's certificate and can allow all versions of a signed application without referencing its exact path. Unlike path-based rules-which can be bypassed if an attacker drops a malicious file into an allowed location-publisher rules remain effective even if the file is copied elsewhere and do not need to be updated every time the vendor releases a signed update. Complete or directory-based path rules and filename rules offer less protection against path spoofing and typically require more frequent changes when applications move or are upgraded.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AppLocker publisher rule?
Open an interactive chat with Bash
Why are path-based rules less secure than publisher rules?
Open an interactive chat with Bash
How does a digital signature enhance application security?