Common Panel Filters
A brief guide to learn how to manipulate App Filtering in your Monitor Mode or Blocked Apps lists.
App List Filtering Options
Imagine that you are having a busy day and you were about to trust a program you needed, and suddenly you had a lot of apps coming to your app list and you lost the app you were about to examine and trust. The menu includes filtering options that help you find any specific program very quickly.
Click "More" to expand the filter options menu.
App List Filtering Sections
This is the app filter menu which is divided in five different sections: Events, VirusTotal, CERTs, Include and Show.
Additional Filters
Click "Filters" to expand the Filters menu in addition to the filters you already have above.
You can now search by Filename, Pathname, User, Host Name, CERT Name, CERT Thumbprint, Event ID and Sig ID.
Filtering by CERT Name
I want to look for the program I need, and I know that this program is signed by "Microsoft Corporation", so, I click on "CERT Name" and fill in the details.
Click the "CERT" button after you have written the name of the CERT you are looking for.
After you clicked the "CERT" button, you will see all the programs signed by the program of your search. Then, if you decide that you want to look for another CERT, you simply clear the textbox manually or click the "x" to clear the CERT textbox.
Click the "Search for Filename" field in order to search through a Filename instead of CERT Name.
Filtering by Filename
I want to look for a file or files that contain the name "Whatsapp", after you fill in the details, click the "File" button.
The filter now displays all files that contain the word "Whatsapp" in their filename.
Filtering by Archived apps
In the previous image, we made a search for all the files that contained the word "Whatsapp" in their filename. Now, let's add more complexity, by conducting a search for all the files that contain the word "Whatsapp" in their filename AND they are "Archived". Click the radio button called "Archived". (If you use "Dropdown lists" select the option that says to show archived items).
We have now filtered the list to show all the files that contain the word "Whatsapp" and that were archived in the past.
Filtering by All apps (Live and Archived)
We can also have "All" of the events, the "Live" events that are happening right now and the "Archived" events that were live events but they were archived at some point.
Note: When you add apps to your Trust-List, the app will be added to your Trust-List and it will be archived automatically. You may sometimes forget that you have trusted a certain app and add it a second time. While not ideal, there is no harm done. Sometimes these apps may have a different handprint or CERT.
As you can see, we now have filtered to show the live events and the archived events (blue folder icon) together in one place.
Filtering by Signed apps
Now I want to see how many apps in my blocked apps list are signed with a code-signing certificate, specifically signed apps that have the name Whatsapp in their filename. Click the radio button "Signed" in the CERTs section.
We can see that all the apps now displayed on the screen are properly signed with a code-signing certificate by clicking one of the events.
Filtering by Unsigned apps
Most of my blocked events are signed with a code-signing certificate, but I need to look at the bigger picture. Let's look at how many "Unsigned" events were blocked. ("Unsigned" events are those events of apps or programs that are not signed by a code-signing certificate.) Click on "Unsigned" to see your unsigned events.
We have only one result and this is an uninstall script. Click in the event to see more information.
The moment you click on the event, you are presented with the app's information and available actions, but we don't see any code-signing certificate information, because this is an unsigned event.
Filtering by VirusTotal Trusted
Sometimes corporations want to make sure that their files are coming from them, so they submit their files to VirusTotal and if a file was submitted by Microsoft to VirusTotal, they usually have a green checkmark in our app list. Click "Trusted" at the "VirusTotal" section to see if you have one of those known apps.
Closing Additional Filtering Menu
Click "Off" to close the App Filtering additional options.
Filtering by Unchecked apps
By clicking "Unchecked" at the "VirusTotal" you will filter based on all the app events or program events that have not been checked by VirusTotal. (See the "question mark" in each app event)
You can click the "VirusTotal" button in the app menu to start a scan of all of your unchecked app list.
Or you can check app by app individually if you hover your mouse around the question mark in the app event and click the VirusTotal button.
Filtering by Issues Found
Let's say you have made a scan of your app list, and you wish to filter based on "Issues Found," meaning if an app has any issues on VirusTotal, you will see only apps that were flagged by security vendors in your app list.
Filtering by Monitor Children
By clicking "Monitor Children" you will be able to filter for any Monitored Children, if you have had any.
Hide App Filtering Options Menu
Click "Hide" to hide the App Filtering Options Menu
Expand App Filtering Options Menu
Click "More" if you want to expand the App Filtering Options Menu.