Command line validation in application behavior rules

Starting with DriveLock version 25.2, you can now configure Application Behavior Control (ABC) rules to validate complete command lines – not only for single targets, but also in rules with multiple targets. This significantly expands the available configuration options.

Comparison modes for command line parameters

When working with parameters in ABC rules, two comparison types are now available:

• contains

  The rule checks whether specific parameters are included in the command line.

  Recommended, for example, for blocking rules where certain parameters should be disallowed.

• matches

  The rule checks whether the command line matches a defined pattern – including the use of wildcards.

  Primarily recommended for allow rules to ensure only approved command line variants are permitted.

Wildcard usage

Wildcards work similarly to path-based rules in ABC – however, they apply to command-line arguments, not directories. Parameters are treated as separate segments.

Wildcards	Meaning
*	any single parameter
**	any number of parameters
"" or empty	no parameters (only program call itself)

Example:

A rule with cmd.exe * only allows cmd.exe to be started with exactly one parameter.

Prerequisite for the command line check to become active: The " Execute" access mode must be set in the ABC rule. A suitable rule for the target program and any parameters must exist.

This feature is available in both the DriveLock Operations Center (DOC) and the MMC as of version 25.2.