Online criminals hate us. We protect you from attacks that antivirus can't block.

Application Control overview

Application Control is a module created to control which processes (or applications) can be executed on client machines and how they are executed. You can define a set of rules that describe what processes are allowed or blocked on your machines (in your environment) using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Paths. Application Control can handle how a process (it can get automatic elevation from the Heimdal™ Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process defined by the rule) should run.

APPLICATION CONTROL view

The Application Control view displays a table with all the intercepted processes. You get information about the Process Name, the number of executions, Publisher, Software Name, Version, Group Policy, MD5, and the Status.  The processes can be filtered using the following filters:  All intercepted applications, Matching Allow rules, Matching Block rules, Matching Allow by default, and Matching Block by default.

 

mceclip3.png

 

All intercepted applications - displays all the applications that have been running on the machine(s)

Matching Allow rules - displays the latest interceptions that match the 'Allow' rule

Matching Block rules - displays the lastest interceptions that match the 'Block' rule

Matching Allow by default - displays the latest interceptions that match the "Allow by default' status (a process is allowed by default if the Default File Action is set to Allow)

Matching Block by default - displays the latest interceptions that match the "Block by default' status (a process is blocked by default if the Default File Action is set to Block)

 

Block - adds the selected process to the ruleset with Block as Action Type

Remove from allowed list - removes the process from the ruleset if a matching process with Allow as Action Type is matched

Remove from block list - removes the process from the ruleset if a matching process with Block as Action Type is matched

Allow - adds the selected process to the ruleset with Allow as Action Type

 

Once you select a process, the Block and Allow buttons will activate:

mceclip4.png

 

After hitting the Allow or the Block button, a modal that enables configuration of the rule will appear:

mceclip5.png

mceclip6.png

The Global rule radio button applies the rule on all the Group Policies, while the Custom policy global block/allow rule applies to one or more Group Policies that can be specified in the dropdown field. 

To configure a rule, the user needs to consider the following Rule Types: Software name, Path, Publisher, MD5, Signature, or Wildcard Paths (once a Rule Type is selected, the Subject field is automatically generated).

Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) in order to have an easy and neat rule organization, without having to edit existing rules (priority ranges between 0 and 1000)

Allow auto elevation - allows the process to automatically get elevated by the Heimdal™ Privileged Access Management module

Include spawns - allows the spawns of other child-processes from the parent-process

APPLICATION CONTROL GROUP POLICY settings

Enable Application Control - enables the Application Control Module
Allow Heimdal™ Privilege Access Management to bypass the ruleset - allows the user to execute any process that is matched by a rule defined in the Application Control Rules under an Administrator Session elevation or Run with AdminPrivilege elevation

Enable Full Logging Mode - intercepts and displays all processes on the machines assigned to this Group Policy. All intercepted processes will be displayed in the Application Control view

Always allow executions of system applications - always allows the execution of system files (Windows processes)

mceclip2.png

 

Ruleset Mode - sets the way the Application Control rules work
Enable - applies the Application Control rules
Disable - disables the Application Control rules
Reporting only - displays the intercepted processes matched by the Application Control rules but does not apply the Action Type of the rules

mceclip1.png

Default File Action - allow or block processes that are not matched by the Application Control Rules

mceclip0.png

Application Control Rules

mceclip2.png

You can manually add a new rule to the Application Control Rules by specifying the Rule Value, the Rule Type (Software Name, Path, Publisher, MD5, Signature, or Wildcard), the Priority (0-1000), and the Action (Allow / Block).mceclip3.png

Software name - is the Product name of the process/application that can be found under the Properties -> Details tab -> Product name 
Path - is the path of the executable file
MD5 - is the 128-bit hash value of the process/application that can be generated using an online MD5 Hadh generator
Publisher - is the process/application's Publisher found in the Publisher column in Control Panel -> Programs and Features
Signature - is the Digital Signature Certificate thumbprint found under the process/application's Properties -> Digital Signatures -> Details -> View Certificate -> Details tab -> Thumbprint
Wildcard path - %AppData% or any other Environment Variable declared under SYSTEM (You can add only one Environment Variable inside the Subject field that replaces the process' full path)

 

Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) in order to have an easy and neat rule organization, without having to edit existing rules. Priority ranges between 0 and 1000

 

mceclip5.png

Allow auto elevation - allows the process to automatically get elevated by the Heimdal™ Privileged Access Management module

Include spawns - allows the spawns of child-processes from the parent-process (only for processes that are Allowed)

 

All added rules are listed in the Application Control Rules table. They can be edited or deleted from the Action column. mceclip6.png

 

 

On adding a new rule, a check for duplicate entries is performed. If there is another rule with the same values, a message will appear to inform you regarding this fact:

 

mceclip7.png

Besides that, a check for a rule that is already defined with a different Action Type (allow instead of block or vice-versa) is also performed. In this case, a popup will appear to inform the user regarding this aspect. If the user confirms it, the existing rule will be overridden with the new value on the Action Type:

     e.g. If the previous rule was to block the execution of chrome.exe, and the new status is to Allow, the Action Type will be changed from Block to Allow, without adding a new record in the rules list.

If the user doesn’t want to change the existing rule, the fields for inserting a new rule will be cleared, offering the possibility to create a different kind of rule.

mceclip8.png

 

Here is a short presentation of the Application Control product overview:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.