In this article, you will learn everything you need to know about the Application Control module. Application Control has been created to control which processes (or applications) can be executed on client machines and how they are executed. You can define a set of rules that describe what processes are allowed or blocked on the endpoints in your environment using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Path.
1. Description
2. How does Application Control work?
3. HEIMDAL Agent - Application Control
4. Application Control view
5. Application Control settings
DESCRIPTION
Application Control allows you to accelerate your application approval or denial flow for files with default ruling and create or modify flows for individual users or AD groups. You can handle how a process (it can get automatic elevation from the Privileged Access Management module, if so configured) or a child process (it can allow or block all processes spawned by the process matched by the rule) should run.
HOW DOES APPLICATION CONTROL WORK?
Application Control is a product/service under the HEIMDAL Agent that controls the processes that are allowed to run or not on a computer. It is designed to work on regular Windows clients. Although it can be enabled on Windows Servers as well, it is NOT recommended to have it enabled on servers as it might cause high CPU usage when the operating system is processing a lot of files/processes/applications. When processes are allowed to run, they can be allowed to run with an Administrator role and they can be allowed to spawn child processes. Application Control is managed by the Heimdal ProcessLock service that captures every process that is started and checks if it’s allowed to run or not.
A. Blocked processes
A process can be blocked from running by creating a block rule in the HEIMDAL Dashboard to match the process in question (a rule can be defined based on Software Name, Paths, Publisher, MD5, Signature, or Wildcard Path). In order to block a process, Application Control intercepts it and kills it along with all its services in a maximum 5-second interval (processes that are already running when the blocking rule is applied will not be killed, because they are not intercepted when they are already running, but when they are getting run). If the blocked process is executed for the first time, the process might start but it will be killed immediately. During the interception, the process is registered in a blocking repository. When the process is executed a second time, the process won’t start at all, because it is already present in the blocking repository. The intercepting repository consists of a list of items stored in the local Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options). For each blocked process, Application Control adds a redirect path to a console application (Heimdal.ProcessLock.Trigger.exe) that is run by Application Control instead of running the blocked process. The Heimdal ProcessLock service will log the attempt and send it to HEIMDAL Dashboard, if necessary. Heimdal.ProcessLock.Trigger.exe won’t appear on the user’s screen and will be opened for a few seconds max.
B. Allowed processes
A process can be allowed to run by creating an allow rule in the HEIMDAL Dashboard to match the process in question (a rule can be defined based on Software Name, Paths, Publisher, MD5, Signature, or Wildcard Path). In order to allow a process, Application Control intercepts it and checks the blocking repository to see if the process is blocked or not. If the process is not on the block list, it is allowed to run.
C. Allow with Auto Elevation
In the case of a process that is allowed to run with auto elevation, Application Control intercepts the process that was started as a Standard user (not as Administrator), kills it, and re-starts it as Administrator using the Run with AdminPrivilege functionality (the process is run by the NT Authority\System user). This functionality is independent of the Privileged Access Management module. The blocking repository (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options) is used by the auto elevation functionality to identify a process that has been configured to be Allowed with Auto Elevate rule in the HEIMDAL Dashboard. The Heimdal.ProcessLock.FileElevator.exe is the console application that runs the process and sends a message to the Heimdal ProcessLock service, in order to log the execution and start that process with Administrator permissions.
- When Default File Action is set to Allow and there aren’t any rules created, Application Control clears all registries that were created/updated by the module. If there are still any rules defined in Group Policy, Application Control will search for each process blocked in registries and remove only those processes that are not blocked anymore (either by default action or rule);
- When it comes to system processes (that are required by the Operating System to run), they are hardcoded to be allowed to run by default;
- Every time a Group Policy update event is triggered, Application Control clears all the registries for this kind of rule(s) and recreates all entries based on Full Path rules;
- When the Heimdal ProcessLock service is stopped, we remove all registry values for those files.
HEIMDAL AGENT - APPLICATION CONTROL
On the HEIMDAL Agent's home page view, you can see the current status of the Agent and the modules that are enabled for your computer. The Application Control module displays information about the Process Name, the Status of each intercepted process, and Timestamp which represents the time when the process was intercepted.
When an application is intercepted and blocked by Application Control, the HEIMDAL Agent will display a notification on the right-bottom side of the screen:
APPLICATION CONTROL view
The Application Control view displays a table with all the intercepted processes that are running on the computers inside your organization. Newly-intercepted processes are visible in the HEIMDAL Dashboard 24 hours after the interception made by the HEIMDAL Agent. The processes that were already intercepted will be displayed in the HEIMDAL Dashboard in real time. On the top, you see a statistic regarding the number of Pending Requests and the number of used Admin Rights.
The collected information is placed in the following views: Full logging, Matching Allowed rules, Matching Blocked rules, and Matching Allowed with auto elevation.
-
Full logging
This view displays a table with all the processes (stacked number of executions) that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp. The data in this view updates in real-time for the processes that have already been intercepted, but it updates overnight when it comes to newly intercepted processes.
- Matching Allowed rules
This view displays a table with all the allowed processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. - Matching Blocked rules
This view displays a table with all the blocked processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp. -
Matching Allowed with auto elevation
This view displays a table with all the processes that are allowed with the Auto Elevation feature by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
-
Raw data
This view displays a table with all the processes (unstacked) that are intercepted by the Application Control module with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, Deny file permissions, Elevated, and Timestamp. The data in this view updates in real-time and requires a short timeframe selection due to the 10,000-entry limitation of our database. We recommend a timeframe of hours/minutes.
You can Allow or Block one or multiple processes by selecting them from the Full Logging or Raw Data views. Clicking on the Number of Executions will redirect you to the process details where you can see the Process Name, the Software Name, the Publisher, the MD5, the Hostname of the computer, the Username, the Version, the Intercepted time, the Group Policy applying to the computer and the Status.
From any of the views, you can select one process and Allow it or Block it in Application Control. Once you select a process, you can choose whether to Block or Allow the process from the dropdown menu:
After hitting the Allow or the Block button, a modal that enables the configuration of the rule will appear:
Global Update - creates the rule in all existing Group Policies;
Custom Policy Update - creates the rule in the selected Group Policies;
Rule Type - Path (you can specify the process' file path), Software name (you can specify the process' name as it appears in Control Panel -> Programs and Features), MD5 (you can specify the process' MD5 hash), Publisher (the Publisher information is taken from the CN value of the Subject field inside the Certificate of a signed file or the Company Name detail of an unsigned file), Signature (you can specify the process' digital signature thumbprint), Wildcard Path (you can specify a wildcard path), Command Line (C:\Documents\test.pdf, *.pdf, C:\*\My Folder\*.pdf);
Subject - add the value of the selected Rule Type. Selecting a Rule Type will automatically fill in the Subject field;
Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) to have an easy and neat rule organization, without having to edit existing rules (priority ranges between 0 and 1000);
Allow auto elevation - allows the process to run as Administrator (available only for Allow rules);
Include spawns - allows the process to spawn other child processes (available only for Allow rules). The option must be used only when the Default File Action is set to Block.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
APPLICATION CONTROL settings
The Application Control module allows you to control how processes (and applications) are executed on endpoints inside your organization. You can define a set of rules that describe what processes are allowed or blocked on your machines (in your environment) using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Paths. Application Control can handle how a process (it can get automatic elevation from the HEIMDAL Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process defined by the rule) should run.
Application Control - turn ON/OFF the Application Control module;
Privileged Access Management to bypass the ruleset - allows the Privileged Access Management module to bypass any defined rules through the use of Run with Admin Privilege;
App Control driver interception - installs and uses a kernel mini-filter driver, improving the speed of the ruleset, as well as blocking any process until the rule is processed;
Apply default action to scripts - allows applying the default action to scripts. The option can be enabled only when Rulseset mode is set to Enable, with the Default file action set to Block.
General Settings
Full Logging Mode - allows the HEIMDAL Agent to intercept any process(es) running on the endpoints that are applying this Group Policy;
User token elevation - installs a kernel mini-driver that allows the user to elevate files only under the User context (Run with Admin Privilege under the User context, instead of the System context). This functionality does NOT work if the user is a member of the Network Configuration Operators group. However, Run with Admin Privileges works if the user is moved to any of the following groups: Device Owners, Distributed COM Users, Event Log Readers, Hyper-V Administrators, Access Control Assistance Operators, IIS_IUSR, Network, Performance Log Users, Performance Monitor Users, Power Users, Remote Desktop Users, Remote Management Users, System Managed Accounts Group, Backup Operators;
Internal port for AppControl - allows you to edit the internal port used by the Application Control module. 8001 is the default port number used by Application Control;
Enable AppControl driver interception - installs and uses the Application Control kernel mini-filter driver that enhances the speed of the HEIMDAL Agent when intercepting and blocking a process;
Reporting mode - scans and logs all the processes with Zero-Trust Execution Protection to the HEIMDAL Dashboard without taking any action (allow or block);
Ruleset Mode - allows you to turn on/off the ruleset or to report the processes matched by the defined rules and to take action on them;
- Disable - disables the rules set in the ruleset;
- Enable - enables the rules set in the ruleset;
- Reporting only - intercepts and reports (in the Application Control view) the processes matched by in the ruleset;
Default file action - this dropdown allows you to select the default action that will be performed (allow or block) if the processes that are executed do not match any rules set in the Ruleset. System Files will be allowed to run unless they are matched on the Ruleset list;
If the Ruleset Mode is set to Enable and the Default file action is set to Block, the Apply default action to script tickbox is activated to be enabled or not. This means that you can allow the selected script extensions from the dropdown field to run no matter the Default file action.
Application Control Rules
You can add a rule to match a process based on several conditions:
- Priority - the higher the priority value, the higher the priority is;
- Subject - depending on the rule type, you can specify a Software name (Microsoft Edge), Path (C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe), MD5 (eaa5674047232d4a08e3f5a80ae41847), Publisher (Microsoft Corporation - the Publisher information is taken from the CN value of the Subject field inside the Certificate of a signed file or the Company Name detail of an unsigned file), Signature (c774204049d25d30af9ac2f116b3c1fb88ee00a4), Wildcard path (%SystemRoot%, %SystemDrive%, %SystemDirectory%, %ProgramFiles%, %ProgramFiles(x86), %ProgramData%, %AppData%, %TEMP%, %SystemDrive%\Test\*\download.exe, C:\test\*\download.exe, C:\test\*), Command Line (C:\Documents\test.pdf, *.pdf, C:\*\My Folder\*.pdf), Certificate subject (CN=Google*C=US*) - the rule will match the first part of the process certificate subject until the first *;
- Friendly name - a friendly name that can be used to search between rules;
- Allow Auto Elevation - specify whether the matched process will run under Administrator elevation or not. For Rule Types other than Path/Wildcard Path, you need to enable App. Control driver interception for the Auto Elevation functionality to work; Note: To gain access and use the"Allow auto elevation" functionality you will require a Privileged Access Management (PAM) module license.
- Spawns - specify whether the matched process will allow the spawns of other child processes or not. The option must be used only when the Default File Action is set to Block;
- Rule type - define the rule by Software Name, Path, MD5, Publisher, Signature, Wildcard path, Command Line Arguments, Certificate subject;
- Action Type - allows you to select between Allow and Block;
- Action - allows you to allow or block the defined process;
In the Ruleset table, you can enable Allow auto elevation for the selected rule to allow the matched process to run with Administrator permissions (requires the Application Control driver to be enabled, otherwise the Allow auto elevation will be available only for Path and Wildcard path-type rules). The Spawns tickbox allows the process to spawn other processes when the Default File action is set to Block. The Deny file permissions tickbox will deny user permissions (Full Control, Read, Write, etc.) when the user is trying to a access file matching the rule that is set to Block. You also have the possibility of searching through the rules and using the Download button to download a .csv file with all the rules in the Ruleset.
Due to possible performance issues, we recommend you keep the number of rules as low as you can (at least when it comes to MD5-type rules). This scenario is also impacted by the size of the files that are matched by rules. The performance issue is not caused by the HEIMDAL Agent itself, but by the fact that the MD5 needs to be computed every time the process is launched (especially with big executable files).
Zero - Trust Execution Process - enables the protection against zero-hour threats compromising your environment (it can be enabled/disabled from the Endpoint Detection -> Next-Gen Antivirus module and from the Privileges & App Control -> Privileged Access Management module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - allows the scan and logging of the applications with Zero - Trust Execution Protection, without taking any action: allow, block.
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
IMPORTANT
Microsoft processes present in the system32 folder are allowed by default but they can be blocked through a block rule in the Application Control ruleset.