System state criteria vs. event criteria
There are two types of triggering criteria: system state criteria are driven by the current state of the system whereas event criteria are driven by certain events occurring in the system.
System state criteria retain the value true as long as some objects exist in the system, and switch to false only when the object disappears. For example, the criterion Process “<name>” exists retains the value true throughout the running of the specified process. The value of this criterion changes to false upon the end of the process and remains so until the process is started again. So behave all triggering criteria that are driven by the existence of certain system objects (in this example, processes running in the system).
Event criteria evaluate to true when certain events occur in the system, and switch to false shortly after the event has occurred. For example, the criterion Write access to “<name/s>” is denied evaluates to true when DeviceLock Service blocks an attempt to transfer data using the specified devices / protocols. Then, after some time, the criterion value changes back to false, and remains so until a new attempt to transfer data is blocked. So behave all triggering criteria that are driven by certain events in the system.
Note: Since event criteria take the value of true for very short time, their combination by AND logic would always have the value of false. Therefore, it makes no sense to combine event criteria by AND logic. |
The following are system state criteria:
•User logged in - true all the time until the user logs out.
•Ethernet connection exists - true all the time while the connection exists.
•VPN connection exists - true all the time while the connection exists.
•Wireless connection exists - true all the time while the connection exists.
•Window “<title>” exists - true all the time while this window exists.
•Window “<title>” is focused - true all the time until the input focus moves away from this window.
•Process “<name>” exists - true all the time while this process exists.
•Storage device is attached - true all the time while the device is attached.
•Non-storage device is attached - true all the time while the device is attached.
•Computer is idle for <number> seconds - true all the time after triggering while the user does not press keys on the keyboard and does not move/click the mouse.
The following are event criteria:
•IP address is assigned - true for a short time after the address is assigned.
•IP address is released - true for a short time after the address is released.
•Content-Aware rule “<name>” is triggered - true for a short time after this rule is triggered.
•Protocol White List rule “<name>” is triggered - true for a short time after this rule is triggered.
•Media White List rule “<description>” is triggered - true for a short time after this rule is triggered.
•USB White List rule “<description>” is triggered - true for a short time after this rule is triggered.
•Read access to “<name/s>” is denied - true for a short time after read access is denied.
•Write access to “<name/s>” is denied - true for a short time after write access is denied.