I have been looking into this extensively for executable (.exe) installations, I have a solution, but this will probably not be a "one size fits all". The following BIOC presumes the following: 1. "Normal" users only have write access to 'Downloads', 'Documents' and 'Desktop' 2. There is a requirement for privileged users (Administrator accounts) to install .exe based applications 3. the users 'Downloads' and ''Documents' directories are not always on the Root (C:) drive. Here is the BIOC that can be added to a restriction Profile. dataset = xdr_data | filter event_type = ENUM.PROCESS // If you use "Tier" accounts, these could be added here. and action_process_username !~= "^.+[sS][yY][sS][tT][eE][mM]$|^.+[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]$" and action_process_image_path ~="^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]ownloads\\*.*\\+.*[eE][xX][eE]$|^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]ocuments\\*.*\\+.*[eE][xX][eE]$|^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]esktop\\*.*\\+.*[eE][xX][eE]$" If you use "Tier" accounts, these could be added to the regex for 'action_process_username' exception Feedback and or suggestions are welcom, Cheers Phil
... View more