Long Arrow Right External Link angle-right Search Times Spinner angle-left

Creating a Custom Rule to Allow ConnectWise Screen Connect Updates

Many clients use ConnectWise/Continuum Screen Connect. When this application updates, a different .MSI file is created for each machine and then is applied to the machine via a script. Unfortunately, these files are unsigned, making it a bit of a challenge to create a secure custom rule to allow for these updates.  

Without a certificate, or a 'Created By' process, we are left with permitting these files using the path and process. However, the path and process are too generic to be secure, so we need to create a custom rule using a Regular Expression, or RegEx to help tighten this rule. Along with this, if possible, we also recommend turning this policy off when you do not need it and only turn it on to allow for the updates.  

Navigate to Application Control > Policies.

undefined

Find the name of the policy you want to modify. Click on the name of the application definition that is located below the policy name in smaller print. 

undefined

The application definition window will open.

undefined

In the Path box, you will need to type regex:c:\\windows\\installer\\[a-z0-9]{}\.msi. Place the number of characters before the .msi in the curly brackets ( from viewing a blocked file in the audit). Click the add button. If needed you can continue to add rules one at a time until you are finished. Then click the 'Save' button in the top left corner. Be sure to click 'Deploy Policies' to push this to your endpoints. In the case of a global policy, you will need to use the 'Deploy Policies' button located across the top of the Organizations page.

In the example below, we made a separate rule for the numbers 4 through 9. In the Process Path box type c:\windows\system32\msiexec.exe.  

undefined

If you are electing to turn this policy off when you aren't using it, click the on/off switch beside the policy name.

undefined

In order to view policies that are disabled (turned off), be sure to select the checkbox on the right below the search bar.

undefined