In this article, you will learn everything you need to know about the Privileges & App Control - Application Control module. Application Control has been created to control which processes (or applications) can be executed on client machines and how they are executed. You can define a set of rules that describe what processes are allowed or blocked on the endpoints in your environment using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Path.
Application Control allows you to accelerate your application approval or denial flow for files with default ruling and create or modify flows for individual users or AD groups. You can handle how a process (it can get automatic elevation from the Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process matched by the rule) should run.
HOW DOES APPLICATION CONTROL WORK?
Application Control is a module under the HEIMDAL Agent that controls the processes that are allowed to run or not on a computer. When processes are allowed to run, they can be allowed to run with an Administrator role and they can be allowed to spawn child processes. Application Control is managed by the Heimdal ProcessLock service that captures every process that is started and checks if it’s allowed to run or not.
A. Blocked processes
A process can be blocked from running by creating a block rule in the HEIMDAL Dashboard to match the process in question (a rule can be defined based on Software Name, Paths, Publisher, MD5, Signature, or Wildcard Path). In order to block a process, Application Control intercepts it and kills it along with all its services in a maximum 5-second interval. IF the blocked process is executed for the first time, the process might start but it will be killed immediately. During the interception, the process is registered in a blocking repository. When the process is executed a second time, the process won’t start at all, because it is already present in the blocking repository. The blocking repository consists of a list of items stored in the local Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options). For each blocked process, Application Control adds a redirect path to a console application (Heimdal.ProcessLock.Trigger.exe) that is run by Application Control instead of running the blocked process. The Heimdal ProcessLock service will log the attempt and send it to HEIMDAL Dashboard, if necessary. Heimdal.ProcessLock.Trigger.exe won’t appear on the user’s screen and will be opened for a few seconds max.
B. Allowed processes
A process can be allowed to run by creating an allow rule in the HEIMDAL Dashboard to match the process in question (a rule can be defined based on Software Name, Paths, Publisher, MD5, Signature, or Wildcard Path). In order to allow a process, Application Control intercepts it and checks the blocking repository to see if the process is blocked or not. If the process is not on the block list, it is allowed to run.
C. Allow with Auto Elevation
In the case of a process that is allowed to run with auto elevation, Application Control intercepts the process that was started as a Standard user (not as Administrator), kills it, and re-starts it as Administrator using the Run with AdminPrivilege functionality (the process is run by the NT Authority\System user). This functionality is independent of the Privileged Access Management module. The blocking repository (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options) is used by the auto elevation functionality to identify a process that has been configured to be Allowed with Auto Elevate rule in the HEIMDAL Dashboard. The Heimdal.ProcessLock.FileElevator.exe is the console application that runs the process and sends a message to the Heimdal ProcessLock service, in order to log the execution and start that process with Administrator permissions.
- When Default File Action is set to Allow and there aren’t any rules created, Application Control clears all registries that were created/updated by the module. If there are still any rules defined in Group Policy, Application Control will search for each process blocked in registries and remove only those processes that are not blocked anymore (either by default action or rule);
- When it comes to system processes (that are required by the Operating System to run), they are hardcoded to be allowed to run by default;
- Every time a Group Policy update event is triggered, Application Control clears all the registries for this kind of rule(s) and recreates all entries based on Full Path rules;
- When the Heimdal ProcessLock service is stopped, we remove all registry values for those files.
HEIMDAL AGENT - APPLICATION CONTROL
On the HEIMDAL Agent's home page view, you can see the current status of the Agent and the modules that are enabled for your computer. To access the Privileged Access Management module, you can click on the Privileges & App Control icon or use the left-side menu.
The Application Control module displays information about the Priority of the configured rules, the Application Name, the Rule Type, and the Status elevations.
APPLICATION CONTROL view
The Application Control view displays a table with all the intercepted processes that are running on the computers inside your organization. Newly-intercepted processes are visible in the HEIMDAL Dashboard 24 hours after the interception made by the HEIMDAL Agent. The processes that were already intercepted will be displayed in the HEIMDAL Dashboard in real-time. On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.
The collected information is placed in the following views: Full logging, Matching Allowed rules, Matching Blocked rules, and Matching Allowed with auto elevation.
- Full logging
This view displays a table with all the processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. The data in this view updates in real-time for the processes that have already been intercepted, but it updates overnight when it comes to newly-intercepted processes.
- Matching Allowed rules
This view displays a table with all the allowed processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp.
- Matching Blocked rules
This view displays a table with all the blocked processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp.
- Matching Allowed with auto elevation
This view displays a table with all the processes that are allowed with the Auto Elevation feature by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp.
- Raw data
This view displays a table with all the processes that are intercepted by the Application Control module with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. The data in this view updates in real-time and requires a short timeframe selection due to the 10,000-entry limitation of our database. We recommend a timeframe of hours/minutes.
Clicking on the Number of Executions will redirect you to the process details where you can see the Process Name, the Software Name, the Publisher, the MD5, the Hostname of the computer, the Username, the Version, the Intercepted time, the Group Policy applying to the computer and the Status.
From any of the views, you can select one process and Allow it or Block it in Application Control. Once you select a process, you can choose whether to Block or Allow the process from the dropdown menu:
After hitting the Allow or the Block button, a modal that enables configuration of the rule will appear:
Global Update - creates the rule in all existing Group Policies;
Custom Policy Update - creates the rule in the selected Group Policies;
Rule Type - Path (you can specify the process' file path), Software name (you can specify the process' name as it appears in Control Panel -> Programs and Features), MD5 (you can specify the process' MD5 hash), Publisher (you can specify the process' publisher), Signature (you can specify the process' digital signature thumbprint), Wildcard Path (you can specify a wildcard path);
Subject - add the value of the selected Rule Type. Selecting a Rule Type will automatically fill in the Subject field;
Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) in order to have an easy and neat rule organization, without having to edit existing rules (priority ranges between 0 and 1000);
Allow auto elevation - allows the process to run as Administrator (available only for Allow rules);
Include spawns - allows the process to spawn other child processes (available only for Allow rules).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
APPLICATION CONTROL settings
The Application Control module allows you to control how processes (and applications) are executed on endpoints inside your organization. You can define a set of rules that describe what processes are allowed or blocked on your machines (in your environment) using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Paths. Application Control can handle how a process (it can get automatic elevation from the HEIMDAL Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process defined by the rule) should run.
Application Control - turn ON/OFF the Application Control module;
Privileged Access Management to bypass the ruleset - allows the Privileged Access Management module to bypass any defined rules during elevation session;
Full Logging Mode - allows the HEIMDAL Agent to intercept any process(es) running on the endpoints that are applying this Group Policy;
Internal port for AppControl - allows you to edit the internal port used by the Application Control module. 8001 is the default port number used by Application Control.
Zero - Trust Execution Process - enables the protection against zero-hour threats compromising your environment (it can be enabled/disabled from the Endpoint Detection -> Next-Gen Antivirus module and from the Privileges & App Control -> Privileged Access Management module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
Reporting mode - scans and logs all the processes with Zero-Trust Execution Protection to the HEIMDAL Dashboard without taking any action (allow or block);
Ruleset Mode - allows you to turn on/off the ruleset or to report the processes matched by the defined rules and to take action on them;
- Disable - disables the rules set in the ruleset;
- Enable - enables the rules set in the ruleset;
- Reporting only - intercepts and reports (in the Application Control view) the processes matched by in the ruleset;
Default file action - this dropdown allows you to select the default action that will be performed (allow or block) if the processes that are executed are not matching any rules set in the Ruleset. System Files will be allowed to run unless they are matched on the Ruleset list;
Application Control Rules
You can add a rule to match a process based on several conditions:
- Rule value - depending on the rule type, you can specify a Software name (Microsoft Edge), Path (C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe), MD5 (eaa5674047232d4a08e3f5a80ae41847), Publisher (Microsoft Corporation), Signature (c774204049d25d30af9ac2f116b3c1fb88ee00a4), Wildcard path (%SystemRoot%, %SystemDrive%, %SystemDirectory%, %ProgramFiles%, %ProgramFiles(x86), %ProgramData%, %AppData%, %TEMP%, %SystemDrive%\Test\*\download.exe, C:\test\*\download.exe, C:\test\*);
- Rule type - Software name, Path, MD5, Publisher, Signature, Wildcard path
- Priority - the higher the priority value, the higher the priority is;
- Action - allows you to allow or block the defined process;
In the Ruleset table, you can enable to Allow auto elevation for the selected rule to allow the matched process to run with Administrator permissions. The Spawns tickbox allows the process to spawn other processes.
Besides that, a check for a rule that is already defined with a different Action Type (allow instead of block or vice-versa) is also performed. In this case, a popup will appear to inform the user regarding this aspect. If the user confirms it, the existing rule will be overridden with the new value on the Action Type:
e.g. If the previous rule was to block the execution of chrome.exe, and the new status is to Allow, the Action Type will be changed from Block to Allow, without adding a new record in the rules list.
If the user doesn’t want to change the existing rule, the fields for inserting a new rule will be cleared, offering the possibility to create a different kind of rule. You also have the possibility of searching through the rules and using the Download button to download a .csv file with all the rules in the Ruleset.