View and change Application Control software rulesets

Views:

Each computer has its own Application Control software ruleset. You can do the following:

View Application Control software rulesets and find out which rules they include.

When you first enable Application Control for a computer, the software installed on the computer is added to the computer's inventory and allowed to run. However, you cannot see the rules associated with the inventory from Workload Security unless you use the Deep Security legacy REST API to do so (see Use the API to access advanced Application Control features). In the Workload Security console, a computer's ruleset appears empty until you create some allow/block rules for the computer.
Change the action of one Application Control software ruleset rule if a software file should be blocked or not allowed.
Delete an individual Application Control software ruleset rule if the software has been removed and is not likely to return.
Delete an Application Control software ruleset if the computer associated with the ruleset has been removed.

If a user reports that Application Control is blocking software that they need to run on a particular computer, you can undo the block rule on that computer. Go to Events & Reports → Application Control Events → Security Events, find the computer, locate the block event, and then click View Rules. In the dialog that appears, you can change the block rule to an allow rule.

View Application Control software rulesets

To view the list of Application Control software rulesets, go to Policies → Common Objects → Rules → Application Control Rules → Software Rulesets.

application-control-policies-rulesets=8792ee0a-f623-4541-8e12-02ef14862bf8.png

To see which rules are part of a ruleset, double-click the ruleset and go to the Rules tab. The Rules tab displays the software files that have rules associated with them and enables you to change allow rules to block, and vice versa. See Change the action of one Application Control rule.

Security Events

Events & Reports → Events → Application Control Events → Security Events displays all unrecognized software that either was run on a computer or was actively blocked from running. You can filter this list by time period and other criteria. For more information, see Application Control events.

For each event (except aggregated events), you can click View rules to change the rule from Allow to Block or vice versa.

The agent versions 10.2 and later include event aggregation logic to reduce the volume of logs when the same event occurs repeatedly. See Interpret aggregated security events.

Change the action for an Application Control rule

If you want to allow a software that you previously blocked (or the opposite), you can edit the action in the rule. If you need to undo the rule so that the software is not recognized by Application Control (in other words, delete the rule, not only change its action), see Delete an individual Application Control rule instead.

Procedure

Go to Policies → Common Objects → Rules → Application Control Rules → Software Rulesets.
Double-click to select the ruleset that contains the rule that you want to change.
On the dialog that appears, go to the Rules tab.
If you want to focus on software that was blocked (or allowed), then in the menu next to Application Control Rules, select By Action to group similar rules. Alternatively, you can use the search to filter the list.

If you want to change the action for a software file, but it has multiple different file names , select By File Name to group related rules.
Find the row for the specific software that you want to allow or block.
In the Action column, change the setting to allow or block, then click OK.

The next time that the agent connects with Workload Security, the rule is updated and the version number increases.

Delete an individual Application Control rule

If you want to undo a rule that you created, go to Policies → Common Objects → Rules → Application Control Rules → Software Rulesets, double-click the ruleset that contains the rule, go to the Rules tab, select the rule and then click Delete.

Keep in mind the following:

When the rules are not needed anymore, you can delete them to reduce the size of the ruleset. This improves performance by reducing RAM and CPU usage.
If you delete a rule, Application Control cannot recognize the software anymore. If the software is installed again, it appears again on the Actions tab.
If a software update is unstable and you might need to downgrade, keep rules that allow rollback to the previous software version until you have completed testing.
To find the oldest rules, go to Policies → Rules → Application Control Rules → Software Rulesets, then click Columns. Select Date/Time (Last Change), click OK, and then click that column's header to sort by date.

Delete an Application Control ruleset

If an Application Control ruleset is not being used anymore (for example, if the computer associated with the ruleset no longer exists), you can delete it.

To delete a ruleset, go to Policies → Rules → Application Control Rules → Software Rulesets, click a ruleset to select it, and click Delete.