In order to have a good experience using the HEIMDAL™ Security services and the HEIMDAL™ Application Control, we recommend you take a look at the following information:
- Module description
- Application Control View
- Application Control Group Policy Settings
- Application Control Rules
Application Control is a module created to control which processes (or applications) can be executed on client machines and how they are executed. You can define a set of rules that describe what processes are allowed or blocked on your machines (in your environment) using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Paths. Application Control can handle how a process (it can get automatic elevation from the Heimdal™ Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process defined by the rule) should run.
Application Control View
The Application Control view displays a table with all the intercepted processes. You get information about the Process Name, the number of executions, Publisher, Software Name, Version, Group Policy, MD5, and the Status. The processes can be filtered using the following filters: All intercepted applications, Matching Allow rules, Matching Block rules, Matching Allow by default, and Matching Block by default.
1. All intercepted applications - displays all the applications that have been running on the machine(s)
2. Matching Allow rules - displays the latest interceptions that match the 'Allow' rule
3. Matching Block rules - displays the lastest interceptions that match the 'Block' rule
4. Matching Allow by default - displays the latest interceptions that match the "Allow by default' status (a process is allowed by default if the Default File Action is set to Allow)
5. Matching Block by default - displays the latest interceptions that match the "Block by default' status (a process is blocked by default if the Default File Action is set to Block)
6. Matching allow with auto-evaluation -allows the process to automatically get elevated by the Heimdal™ Privileges & App Control module
7. Dropdown button - after selecting a machine, you can choose from the two options what action do you want to take ( Allow & Block).
Block - adds the selected process to the ruleset with Block as Action Type
Remove from allowed list - removes the process from the ruleset if a matching process with Allow as Action Type is matched
Remove from block list - removes the process from the ruleset if a matching process with Block as Action Type is matched
Allow - adds the selected process to the ruleset with Allow as Action Type
Once you select a process, the Block and Allow buttons will activate:
After hitting the Allow or the Block button, a modal that enables configuration of the rule will appear:
The Global rule radio button applies the rule on all the Group Policies, while the Custom policy global block/allow rule applies to one or more Group Policies that can be specified in the dropdown field.
To configure a rule, the user needs to consider the following Rule Types: Software name, Path, Publisher, MD5, Signature, or Wildcard Paths (once a Rule Type is selected, the Subject field is automatically generated).
Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) in order to have an easy and neat rule organization, without having to edit existing rules (priority ranges between 0 and 1000)
Application Control Group Policy Settings
Enable Full Logging Mode - intercepts and displays all processes on the machines assigned to this Group Policy. All intercepted processes will be displayed in the Application Control view
Always allow executions of system applications - always allows the execution of system files (Windows processes)
Ruleset Mode - sets the way the Application Control rules work
Default File Action - allow or block processes that are not matched by the Application Control Rules
Application Control Rules
You can manually add a new rule to the Application Control Rules by specifying the Rule Value, the Rule Type (Software Name, Path, Publisher, MD5, Signature, or Wildcard), the Priority (0-1000), and the Action (Allow / Block).
Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) in order to have an easy and neat rule organization, without having to edit existing rules. Priority ranges between 0 and 1000
Allow auto elevation - allows the process to automatically get elevated by the Heimdal™ Privileged Access Management module
Include spawns - allows the spawns of child-processes from the parent-process (only for processes that are Allowed)
All added rules are listed in the Application Control Rules table. They can be edited or deleted from the Action column.
On adding a new rule, a check for duplicate entries is performed. If there is another rule with the same values, a message will appear to inform you regarding this fact:
Besides that, a check for a rule that is already defined with a different Action Type (allow instead of block or vice-versa) is also performed. In this case, a popup will appear to inform the user regarding this aspect. If the user confirms it, the existing rule will be overridden with the new value on the Action Type:
e.g. If the previous rule was to block the execution of chrome.exe, and the new status is to Allow, the Action Type will be changed from Block to Allow, without adding a new record in the rules list.
If the user doesn’t want to change the existing rule, the fields for inserting a new rule will be cleared, offering the possibility to create a different kind of rule.
Here is a short presentation of the Application Control product overview: