Application Control

Last updated
Save as PDF

Overview

Application Control (APC) works in two modes: the Application packages mode and the Trusted installer package mode. The modes can be used either separately or can be combined. Each of the modes can be supplemented with additional functionality: trusted objects, additionally controlled file types, demo mode.

Criteria	Application packages mode	Trusted installer package mode
General description	Application packages are packages that contain any number of allowed (or blocked) applications.	Trusted installer package is a package of allowed applications which consists of two packages: an initial package and the so-called monitored trusted installer package.
Working with the modes
Criteria for identifying applications in packages	Hash value	Vendor Certificate Original file name
Assigning packages to directory objects	You can assign application packages to any directory service object (users/computers/group). With the Global package you summarize applications that are allowed/blocked for all directory objects where the Application Control product is activated. ! Using the Application packages mode if APC is activated for a user: the Application packages are assigned to a USER. E.g.: if a user logs in to comp1 and comp2, a single (user-specific) application package is applied on both comp1 and comp2.	You can assign the Trusted installer package to any directory service object (users/computers/group). ! Using the Trusted installer package mode if APC is activated for a user: the Trusted installer package is assigned to a COMPUTER. E.g.: if a user logs in to comp1 and comp2, different (computer-specific) packages are applied on comp1 and on comp2. Make sure that the Trusted installer engine is enabled on computers where user logs in.
Applying package restrictions	Restrictions based on application packages take effect shortly after activating the Application Control product for a directory service object (user/computer/group).	Restrictions based on the Trusted installer package take effect shortly after activating the Application Control product for a directory service object (user/computer/ group) and enabling the Trusted installer engine.
Configuring settings	In the Settings, you determine whether only the applications from packages are allowed and all others are blocked (whitelist) or whether the applications from packages are blocked and all other applications are allowed (blacklist).	In the Trusted installer settings, you define the list of trusted installers. The Trusted installer mode allows the applications only if they are installed and updated only by the defined trusted installers.
Managing application updates	Once an application from a package is updated, the application package must be modified manually. No real-time monitoring is performed. ! Modify an application package manually once an application is updated. Otherwise, such an application is recognized as an unknown one and will be blocked.	Once an application from a package is updated, the trusted installer package is updated automatically due to the real-time monitoring. If application is from the initial package, update the initial package manually via rescanning under Computer management \| Applications \| Trusted installer. ! Make sure the Trusted installer engine is enabled to perform the monitoring in real time.
Supported additional Application Control settings
Additionally controlled file types:
Dynamic link libraries (DLL)	+	_
Java archives (JAR)	+	+
Demo mode	+	+
Trusted objects	+	+
Block applications with broken signature	+	+

Combining Application packages and Trusted installer package modes

Enabled modes and settings	Result
Application packages (whitelist) + Trusted Installer + Trusted objects	Applications that are allowed either via Application packages or via Trusted Installer or via Trusted objects are pemitted to be launched.
Application packages (blacklist) + Trusted Installer + Trusted objects	Applications allowed either via Trusted objects are pemitted to be launched. Trusted installer has a priority over blocking via the Trusted Installer and the Application packages. -or- Applications allowed via Trusted installer and not blocked via Application packages are pemitted to be launched.
Application packages (learning mode) + TI	Learning mode works as usually, Trusted Installer is ignored.

Enabled modes and settings

Result

Application packages (whitelist) + Trusted Installer + Trusted objects

Applications that are allowed either via Application packages or via Trusted Installer or via Trusted objects are pemitted to be launched.

Application packages (blacklist) + Trusted Installer + Trusted objects

Applications allowed either via Trusted objects are pemitted to be launched.
Trusted installer has a priority over blocking via the Trusted Installer and the Application packages.

-or-

Applications allowed via Trusted installer and not blocked via Application packages are pemitted to be launched.

Application packages (learning mode) + TI

Learning mode works as usually, Trusted Installer is ignored.

Setting up Application Control

Enabling additional control of other file types

Define file types which will be controlled in addition to applications (executable files). In the Application packages mode, you can control both DLL and JAR. In the Trusted installer package mode, you can control only JAR. Pay attention that the control of java archives can decrease the performance on the Agent side.

Avoiding functional restrictions with enabled DLL control. Since DLLs of some applications are loaded dynamically (only when required), they are difficult to log in advance. This makes it difficult for you to allow them and can result in unlisted DLLs being blocked and the functionality of certain applications being restricted.If possible, use the list of trusted objects instead of DLL control. In this way you reduce the administrative effort and avoid functional restrictions. For details, see: Defining a list of trusted objects

Using demo mode for test purposes

Demo mode is enabled by administrators to test how Application Control works before enforcing it in the company. During the period when the demo mode is enabled, full functionality of the Application Control product is used, but with only one exception: forbidden applications are not blocked on a user side and a user sees a warning message.

For enabling demo mode, perform the following steps:

Navigate to Product settings | Applications | Settings.
In the Demo mode area, enable the Demo mode check box.
Click Save.
The demo mode is now enabled. Under Product settings | Applications and under User management/Computer management | Applications, the following warning is shown:

You can now create application packages, assign packages to objects and thus test the configuration.
See also: Customizing user messages

Defining a list of trusted objects

Trusted objects are defined to permit users the launch of applications even if they are blocked by application packages or by the Trusted installer package. Directories, manufacturers and file owners can be classified as trustworthy sources.

To add trusted objects, perform the following steps

Go to Product settings | Applications | Trusted objects.
The list already contains predefined objects. If needed, enable them.
In the toolbar, click on one of the buttons:

Button	Description
Add directory	Specify a directory where permitted applications are located. Applications, DLLs and Java archives of this directory are allowed. If the Application Control product is enabled for a user, the trusted directory %temp% is translated as C:\Users\USERNAME\AppData\Local\Temp If the Application Control product is enabled for a computer, the trusted directory %temp% is translated as C:\Windows\Temp Trusted objects added via user environment variables (e.g.: %username%, %appdata%) do not apply in case of activating Application Control for a computer.
Add owner	Select a user from a directory structure who is permitted to access applications where he is an owner. To view an application owner, right-click an application in Windows Explorer (Properties \| Security tab \| Advanced). Applications, DLLs and Java archives of this owner are permitted.
Add vendor	Scan local computer, Agents and network computers for available vendors and add vendors as trusted ones. Selected datatypes (applications, DLLs, Java archives) of this developer are permitted.

Button

Description

Add directory

Specify a directory where permitted applications are located. Applications, DLLs and Java archives of this directory are allowed.

If the Application Control product is enabled for a user, the trusted directory %temp% is translated as C:\Users\USERNAME\AppData\Local\Temp
If the Application Control product is enabled for a computer, the trusted directory %temp% is translated as C:\Windows\Temp

Trusted objects added via user environment variables (e.g.: %username%, %appdata%) do not apply in case of activating Application Control for a computer.

Add owner

Select a user from a directory structure who is permitted to access applications where he is an owner. To view an application owner, right-click an application in Windows Explorer (Properties | Security tab | Advanced). Applications, DLLs and Java archives of this owner are permitted.

Add vendor

Scan local computer, Agents and network computers for available vendors and add vendors as trusted ones. Selected datatypes (applications, DLLs, Java archives) of this developer are permitted.

Click Save.

Disabling Microsoft default vendors. Disabling the Microsoft default vendors might result in performance problems and problems with Windows update on Clients.

Blocking applications with broken signature

If the control of applications with broken signature is enabled, the applications, DLLs and java archives with a broken signature will be blocked.

Navigate to Product settings | Applications | Settings.
In the Control applications with broken signature area, check the Block applications with broken signature box.
Click Save.
Now all applications where the signature is broken will be blocked.

Working with Application Control: the Application packages mode

Creating an application package

Under Product settings | Applications | Settings, in the List type area, select a mode according to which all application packages work:
- Whitelist is a list of permitted applications. Access to non-listed applications is blocked.
- Blacklist is a list of applications access to which is blocked. Access to non-listed applications is allowed.
Click Save.
Go to Product settings | Applications | Application packages.
Existing packages are organized in a tree structure. The <Global> package is available by default and automatically assigned to all users/computers.
Click Add package on the toolbar.
The new package appears in the tree structure.
Enter a package name.
The package can now be filled. In the Package definition area, the contents of a selected package is listed:

Filling an application package

You have several options to add applications/DLLs/Java archives to packages:

Scanning Client computers
Adding objects from launch history
Learning mode (without Secure Audit)

Filling the Global package. If you fill in the existing Global package, the inserted package files apply to all users and computers, since the package is automatically assigned to all objects of the directory service structure and cannot be removed.

Scanning Client computers for applications/DLLs/Java archives

Search for applications ever launched on computers, dynamic link libraries (DLL) and java archives (JAR). Only online computers with Agents can be scanned.

Under Product settings | Applications | Application packages, select a package.
In the Package definition work area, click Add.
The Search files dialog appears.
In the Source column, select a computer with an online Agent where the search will be performed.
In the Files type drop-down box, select whether to search for *.exe, *.dll, *jar or all files.
The All files filter finds all file types, but only .exe, .jar and .dll (also other file types that refer to them) are supported.
Click Search.
The scan starts. Found files are listed. You can filter the search results by a term or group them by a manufacturer. Objects that are already in a package are highlighted in bold.
The Browse button is active only when searching on local Agents.
Encrypted files are not scanned as the scan runs from the system.

Select an entry from the list and click Add. To select multiple elements, hold down Ctrl and click on objects.
The dialog closes. Selected entries appear in the Package definition area. The calculated hash value in the Hash value column uniquely identifies the application on all Clients.
Click Save.
You can now assign the package to users, computers or groups.

Adding previously started objects from a launch history

If you do not have the Secure Audit product, you can view previously started objects and add them to packages only if you previously enabled the learning mode. For details, see Learning mode

Under User management/Computer management | Applications, select a user/computer from the directory service structure.
In the lower area, click on the Applications launch tab.
Filter the table if needed. For details, see: Showing audit data
Right-click an audit entry and select Add to package from the context menu.
The Select object dialog appears.
Select a package and click OK to confirm.
In the Package column of the entry, the package name appears.

Using the learning mode

If you are not using the Secure Audit product, you can use the learning mode to log a history of started applications.
All background and foreground applications started by the selected user/computer are logged. You can then add them to a package. For details, see: Adding objects from launch history.

Enabling the learning mode

Under User management/Computer management | Applications, select a user/computer.
Navigate to the Applications tab.
On the toolbar, click Start learning mode.
The Learning mode setup dialog opens.
Select Automatically, by the specified time to end the mode automatically in a certain period of time.
Select Manually to stop the mode by clicking the Stop learning mode button.
Click OK to confirm.
The learning mode is now enabled. All applications started by the user/computer are now logged and listed in the Applications launch tab and can be added to a package there.

Assigning application packages

Before assigning application packages, make sure that applications necessary for the user are not blocked. See also: Using demo mode. For assigning application packages to directory objects, perform the following steps:

Under User management/Computer management | Applications, select a user/computer.
In the lower area, click on the Applications tab.
The Global package and other inherited packages are displayed. Users/computers can inherit packages from the default user/computer or from groups.
In the Profile drop-down, select whether this package is valid in online or in offline mode.

Application Control on offline Agents. By default, if no application package has been assigned to a directory object in offline profile, the same set of application packages is applied on the Agent both in online and offline mode. Once at least one package is assigned to a directory object in the offline profile, from that moment different sets of application packages are applied on the Agent depending on whether it is online or offline. The Global package is always applied in online and offline mode.

Click Add.
The Select object dialog appears.
Select a package and click OK to confirm.
The selected package appears in the Applications tab.
To disable the inheritance of packages from groups or default user/computer, enable the Activate individual settings check box.
The previously inherited packages remain in the list, delete them, if needed.
Click Save.
The changes are applied to the directory service object.

Enabling the Application packages mode

Under User management/Computer management | Applications, select a directory object.
If a user/computer inherits different Application Control mode settings from several groups (e.g.: one group with Application packages mode, the other group with Trusted Installer package mode), the Trusted installer package mode has a priority.
Enable the Activate individual settings check box to disable inheritance from default rights or from groups to which a directory object belongs.
In the lower area, in the Mode tab, enable the Application packages check box.

Click Save.
To additionally control applications on network shares and thin client storage, enable the Allow network shares control and Allow thin client storage control options for a computer under Computer management | Settings | Client settings

Granting temporary access to blocked applications

Via the Unblocking code, temporary access to all blocked applications/DLLs/java archives can be granted to a user/computer if the Agent is offline (cannot connect to the EgoSecure Server) or if the EgoSecure Agent is online but just a temporary full access to all applications is needed.

Generating unblocking code for blocked applications

Under User management/Computer management | Applications, select a user or a computer.
In the lower area, in the Applications tab, click Unblocking code… on the toolbar.
The Unblocking code generation – Application Control dialog appears.
In the Valid drop-down, select how long you want to allow access to blocked applications.
Click Generate.
The code is generated and appears in the Code field.
Copy the code and send it to the user (E.g.: by mail).
Once a user activates the code, the user can access all blocked applications.
Administrators can see the code activation details under Reports | Control | Unblocking codes review.
New code doesn’t replace the previous one.

Working with Application Control: the Trusted installer package mode

Creating a list of trusted installers

Go to Product settings | Applications | Trusted installer.
On the toolbar, click Add installer.
The Search files dialog appears.

In the Source column, select a local computer or an online Agent computer to scan for executable files.
Define where to search for installers.
Click Search.
Scanning starts.
Once the scan finishes, select an installer.
To multiselect, hold down Ctrl and click.
Click Add.
Installers are added to the list.
Click Save.

Missing attributes in the executable. Problem: An executable file must have at least one of the attributes: original filename, vendor or certificate. If all these attributes are missing, such a file will not be added to the list. Solution: Add a trusted directory under Trusted objects.

Enabling the Trusted installer engine

Go to Computer management | Applications and select a computer.
In the lower area, in the Trusted installer tab, check the Enable trusted installer engine box.
To enable the Trusted installer engine, the Application Control license is not required.
Click Save on the toolbar.
Computer scanning for executable files on logical disks starts.
As a result, a list of currently installed applications (initial list) is created and the monitoring of applications installed by the Trusted installers starts. To apply restrictions, activate the Application Control product and enable the Trusted installer package mode for directory objects.

Enabling the Trusted installer package mode

Under User management/Computer management | Applications, select a directory object.
Enable the Activate individual settings check box to disable inheritance from default rights or from groups to which a directory object belongs.
In the lower area, in the Mode tab, enable the Trusted installer package check box.

Click Save.
From now on, only the applications installed by the specified Trusted installers and the applications from the initial list are allowed. The initial list is not updated in real time, which means that if an application from the initial list is updated by a non-trusted installer, such an application will be blocked, because its hash value changes.
To additionally control applications on network shares and thin client storage, enable the Allow network shares control and Allow thin client storage control options for a computer under Computer management | Settings | Client settings.