Using White Lists

You can use Relevance expressions to search client computers for approved applications. First, create a file named ‘whitelist.txt’ with the names of the approved applications. The names should match the registered application name as returned by the regapp Inspector. Here’s a relevance statement that outputs the names of registered applications:

Q: unique values of names of regapps
A: AcroRd32.exe
A: Acrobat Elements.exe
A: Ahqrun.exe
A: CTDVDA.exe
A: CTDVDDET.exe
A: CTRegSvr.exe
A: EPSONCD.exe
A: EXCEL.EXE…

Now create a white-list file with one application name per line, like the following:

Q: lines of file "c:\whitelist.txt"
A: acrodist.exe
A: conf.exe
A: EXCEL.EXE
A: IEXPLORE.EXE
A: msconfig.exe
A: OUTLOOK.EXE
A: Photoshop.exe
A: WINWORD.EXE
A: WINZIP32.EXE
A: wmplayer.exe
A: wordpad.exe…

Now you can craft an expression that compares your white-listed applications with the installed applications stored in the registry. This expression outputs a list of the approved applications that exist on the client computer:

Q: (lines of file "c:/whitelist.txt", unique values of names of regapps) 
whose (item 0 of it is item 1 of it)
A: conf.exe, conf.exe
A: EXCEL.EXE, EXCEL.EXE
A: IEXPLORE.EXE, IEXPLORE.EXE
A: msconfig.exe, msconfig.exe
A: OUTLOOK.EXE, OUTLOOK.EXE
A: Photoshop.exe, Photoshop.exe
A: WINWORD.EXE, WINWORD.EXE
A: WINZIP32.EXE, WINZIP32.EXE
A: wmplayer.exe, wmplayer.exe
A: wordpad.exe, wordpad.exe

You can test for files that are not approved by checking to make sure that a given registered application doesn’t exist anywhere in the white-list. This is done by checking the multiplicity of non-matches. If the non-matches equal the number of lines in the white-list, then the application is nowhere on the list:

Q: unique values whose (multiplicity of it = number of lines of file 
"c:/whitelist.txt") of (item 1 of it) of it whose ((item 1 of it) 
does not start with (item 0 of it)) of ((lines of file "c:/whitelist.txt"), 
unique values of names of regapps)
A: AHQTbU.exe
A: AcroRd32.exe
A: Ahqrun.exe
A: AudioCvt.exe
A: AudioHQU.exe
A: BrainExplorer.exe
A: CISDS.ds
A: CTCMSGo.exe
A: CTDVDA.exe …

This produces a list of applications on the client computer that are not approved. This list can directly drive an action, or it can be sent to the IBM BigFix Administrator who can decide how to handle it.

Note that you could also have a black-list that could serve to identify known unapproved applications.