Vile AnalyzizApproval Rules : Automated File Governance
Define how files are automatically classified based on their properties. Approval rules let you set organizational policy once and have it enforced consistently across every analysis.
What Are Approval Rules?
Approval rules are conditions that the platform evaluates automatically every time a file is analyzed. When a file matches a rule, it receives an approval status: Approved, Not Approved, or Pending Review. This status appears alongside the trust score verdict in the file list, on the report page, and in webhook payloads.
Without approval rules, files only receive a trust score verdict (Clean, Caution, High Risk). With approval rules enabled, your organization adds a second layer of governance that reflects your specific security policies rather than just the platform’s scoring model.
Rules are evaluated during the analysis pipeline, so the approval status is available immediately when the report is generated. If you have endpoint agents deployed, they receive blocklist updates based on your approval rules and can quarantine files that are Not Approved.
Rule Types
Each rule targets a specific file property. You can combine multiple rules to create layered policies.
Vendor Name
Match files where the resolved vendor name contains a specified string. Useful for approving files from known publishers like “Microsoft” or “Adobe”, or blocking files from specific vendors you do not trust.
Signing Status
Match files based on whether they have a valid code signature, an expired signature, a self-signed certificate, or no signature at all. Common use: flag all unsigned executables for review.
Trust Score Threshold
Match files whose trust score falls above or below a specified threshold. For example, block files scoring below 30 or flag files scoring between 30 and 60 for manual review.
File Category
Match files classified into a specific software category. The platform classifies files into 65+ categories, so you can target specific types like cryptocurrency miners, remote access tools, or disk wipers.
Hash Match
Match files by their exact SHA-256 hash. Use this for pinpoint approvals or blocks: approving a specific known-good build artifact, or blocking a specific malicious sample identified during an investigation.
Priority Ordering
Rules are evaluated in priority order from top to bottom. The first rule that matches a file determines its approval status: subsequent rules are not evaluated. This means you should place your most specific rules at the top and broader catch-all rules at the bottom.
Example priority chain
In this example, a Microsoft-signed file would match rule 3 and be approved, even if it also happens to be unsigned (rule 6 is never reached). A cryptocurrency miner from an unknown vendor would match rule 4 and be blocked.
Creating a Rule
Follow these steps to create a new approval rule for your organization.
Navigate to the Approvals page
Open the portal and go to the Approvals section from the left navigation menu.
Click Create Rule
Click the "Create Rule" button at the top of the approval rules list.
Select the rule type
Choose the property to match against: vendor name, signing status, trust score threshold, file category, or hash match.
Configure the condition
Enter the match value. For vendor name, type the vendor string. For score threshold, enter the numeric cutoff. For hash match, paste the SHA-256 hash.
Set the action
Choose what happens when a file matches: Approve (mark as approved), Block (mark as not approved), or Review (create a pending approval request for an administrator).
Set the priority
Assign a priority number. Lower numbers are evaluated first. You can reorder rules later by adjusting priorities.
Save the rule
Click Save. The rule takes effect immediately on all new analyses. Existing files are not retroactively evaluated - re-analyze them to apply the new rule.
Common Patterns
Here are five approval rule patterns that cover the most common governance scenarios.
Approve files from known vendors
Create vendor name rules for each trusted publisher in your organization. For example, add rules for “Microsoft Corporation”, “Adobe Inc.”, and “Google LLC” with the Approve action. Files from these vendors are automatically approved without manual review.
Block files with known malicious hashes
When your incident response team identifies a malicious file, add its SHA-256 hash as a block rule. This ensures the file is flagged as Not Approved across your entire organization and quarantined by endpoint agents in enforce mode.
Review all unsigned executables
Unsigned executable files lack cryptographic identity verification. Create a signing status rule that matches unsigned files and sets the action to Review. This places them in the approval queue for an administrator to evaluate before they can be considered approved.
Score threshold: block below 30, review below 60
Create two score threshold rules. The first blocks any file scoring below 30 (high-confidence threats). The second flags files scoring between 30 and 60 for review. Together, these rules ensure that only files above your organization’s risk tolerance pass through automatically.
Block cryptocurrency miners
Create a file category rule matching the “cryptocurrency miner” category with the Block action. This automatically flags any mining software as Not Approved, regardless of its trust score or vendor. You can apply the same pattern to any unwanted software category.
Enforcement Modes
Approval rules classify files in the portal. Enforcement modes determine what happens on managed endpoints when a file is classified as Not Approved.
Monitor Mode
The default and recommended starting point. When an endpoint agent encounters a file that matches a block rule, it logs the event and skips the file without taking any disruptive action. The blocked file remains on disk and is not quarantined.
- Non-disruptive: no files are moved or quarantined
- Events logged to the agent’s local log and reported to the portal
- Ideal for testing rules before enabling enforcement
Enforce Mode
Active policy enforcement. When an endpoint agent encounters a file that matches a block rule, it moves the file to a quarantine directory and logs the action. Quarantined files can be restored by an administrator via the portal if the block was a false positive.
- Blocked files are moved to quarantine automatically
- Quarantined files can be restored by an admin via remote command
- Only enable after validating rules in monitor mode
You can switch between Monitor and Enforce mode from the Settings page in the portal. The mode applies to all endpoint agents in your organization. We recommend running in Monitor mode for at least one week to verify your rules are not producing false positives before switching to Enforce mode.
Approval Queue Workflow
When a file matches a rule with the Review action, an approval request is automatically created and appears in the approval queue.
A file is analyzed and matches a rule with the Review action.
An approval request is automatically created with the file details, matched rule, and trust score.
The request appears in the Approvals page, visible to all administrators in your organization.
An administrator reviews the file report, score breakdown, and safety notes.
The administrator clicks Approve or Deny. The decision is recorded with a timestamp and the reviewer's identity.
The file's approval status updates across the portal, webhook payloads, and agent blocklists.
All approval decisions are logged in the audit trail. If a verdict is later found to be a false positive, team members can submit feedback from the report page, which can trigger a new review cycle.
Set up your first approval rule
Approval rules are available on Pro plans and above. Configure your organization’s governance policies in minutes.