AAC rule structure

Rules define the boundaries of acceptable behavior and tell AAC how to react when the filtered action matches the rule specifications.

The Rule command at the root level defines the rule. Each Expert Rule identifier can contain only one rule definition and multiple subrules. The Match command defines subrules, each of which has an assigned role: Initiator or Target.

Because Initiator subrules always apply to PROCESS objects, the Process command provides a shortcut method for defining Initiator sections.

Note: Commands for building AAC rules are case sensitive.

Here is the basic structure of AAC-based rules:

Rule {
	Initiator {
		Match … {
			Include … { … }
			Exclude … { … }
		}
	}
	Target {
		Match … {
			Include … { … }
			Exclude … { … }
		}
	}
}
Note: Endpoint Security doesn't support signatures with multiple rules.