Views:
WARNING
WARNING
Application Control continuously monitors your server and logs an event whenever a software change occurs. It is not intended for environments with self-changing software or that normally creates executables, such as some web or mail servers. To ensure Application Control is appropriate for your environment, check What does Application Control detect as a software change?.
For information about how Application Control works, see About Application Control and Application Control Trust Entities.

Monitor new and changed software Parent topic

Once an inventory has been created on a protected computer, any software executable files that are added or changed are classified as a "software change" and appear on the Actions page in Server & Workload Protection. When unrecognized software runs, or attempts to run and is blocked, the event is listed under Events & ReportsEvents Application Control Events Security Events. For more information, see Application Control events.
After you initially enable Application Control, you will likely see a lot of software changes on the Actions page. This can happen when allowed software creates new executables, renames files, or relocates files through the normal course of operation. As you add rules to tune Application Control, you should see fewer software changes.
To quickly find all software changes on all computers and easily create allow or block rules for them, use the Actions tab.
Tip
Tip
You can automate the creation of software ruleset allow or block rules using the Server & Workload Protection API. For more information, see Allow or block unrecognized software.

Procedure

  1. In the Server & Workload Protection console, go to Actions.
  2. There are several ways you can filter to see only specific occurrences of unrecognized software.
    Tip
    Tip
    Instead of evaluating each software change on each computer individually, use the filters described below to find software changes that you know are good, and allow them in bulk.
    actions.png
    To reduce the number of software changes being displayed:
    • From the drop-down list next to Application Control: Software Changes, select a time range such as Last 7 Days. You can also click a bar in the graph near the top of the page to display the changes for that time period.
    • In the pane on the left, click Computers and select an individual computer or group, or click Smart Folders to display only the computers that are included in a particular smart folder (see Group computers dynamically with smart folders).
      Note
      Note
      Unlike the Computers tab, the Software Changes pane usually does not show all computers. It only displays computers where Application Control has detected software changes that don't already have allow or block rules.
    • Enter search terms and operators in the search filter field. You search for these attributes: Change By Process, Change By User, File Name, Host Name, Install Path, MD5, SHA1, and SHA256. For example, you could find all changes made by a particular user that you trust and click Allow All to allow all of their changes. Or if a particular software update was installed across your organization (while maintenance mode was not enabled), filter the page according to the hash value of the file and click Allow All to allow all occurrences.
      Tip
      Tip
      Details about a software change are displayed in the right pane. You can click the file name or computer name in the details to add it to your search filter.
    • Select whether to Group by File (Hash) or Group by Computer.
  3. Click either Allow or Block to add an allow or block rule on that computer, for that software. If you need more information to decide whether to allow or block, click the software name, then use the details panel on the right side.
    The next time that the agent connects with Server & Workload Protection, it receives the new rules.

What to do next

Tips for handling changes Parent topic

  • For most environments, we suggest that you select the Allow unrecognized software until it is explicitly blocked option to allow software changes by default when you first enable Application Control and add allow and block rules for changes that you see on the Actions page. Eventually, the rate of software changes should decrease. At that point, you could consider blocking software changes by default and creating allow rules for the software that you know is good. Some organizations prefer to continue to allow changes by default and monitor the Actions page for software that should be blocked.
  • You may prefer to start by evaluating security events, rather than dealing with unrecognized software first. Security events show you which unrecognized software has run (or attempted to run). For information on security events, see Monitor Application Control events.
  • When an unrecognized file is allowed to execute and you want to continue to allow it, create an Allow rule. In addition to allowing the file's execution, the event is no longer logged for that file, which reduces noise and makes important events easier to find.
  • When a known file's execution is blocked, consider cleaning that file from the computer, especially for repeated occurrences.
  • Keep in mind that software changes are listed for each computer where they occur. You must allow or block the software for each computer.
  • Rules are assigned to computers, not to policies. For example, if helloworld.py is detected on three computers, when you click Allow All or Block All, this would affect only three computers. It won't affect future detections on other computers, because they have their own rulesets.
  • If you see changes related to software updates that you can control, use the maintenance mode feature when performing those updates. See Turn on maintenance mode when making planned changes.
  • Do not run Application Control in lockdown mode on computers and servers that have automatic updates enabled.

Turn on maintenance mode when making planned changes Parent topic

When you install patches, upgrade software, or deploy web applications, Application Control will detect them. Depending on your setting for how to handle unrecognized software, this could block that software until you use the Actions tab to create allow rules.
To avoid extra down time and alerts during deployment and maintenance windows, you can put Application Control into a mode designed for maintenance windows. While maintenance mode is enabled, Application Control will continue to block software that is specifically blocked by an Application Control rule, but it will allow new or updated software to run and automatically add it to the computer's inventory.
Tip
Tip
You can automate maintenance mode using the Server & Workload Protection API. For more information, see the Configure maintenance mode during upgrades guide.

Procedure

  1. In the Server & Workload Protection console, go to Computers.
  2. Select one or more computers, then click Actions Turn On Maintenance Mode.
  3. Select the duration of your maintenance window.
    Maintenance mode will automatically disable itself when your maintenance window is scheduled to end. Alternatively, if you'd prefer to manually disable maintenance mode when updates are finished, select Indefinite.
    On the Dashboard, the Application Control Maintenance Mode Status widget indicates whether the command succeeded.
  4. Install or upgrade software.
  5. If you chose to disable maintenance mode manually, remember to disable maintenance mode in order to start to detect software changes again.