Application Control provides the ability to define criteria that
specifically allow certain applications to execute. You can define allow criteria
to
ensure that Application Control never blocks a certain application, or you can
create a complete list of applications allowed to execute on endpoints and then
deploy a Lockdown policy to the endpoints. While in Lockdown mode, users cannot execute, access, or install any
application that you did not include in the allow criteria.
For more information about Lockdown policies, see Application Control Policy Settings.
NoteBy default, an allow criteria takes priority over a block criteria at the top-level
process level.
For example, if
a.exe is the top-level process, b.exe is the child process, and plugin.dll is the add-on that a.exe loads. Based on the allow and block criteria settings in the following table, the
system only allows a.exe to execute.
|
Procedure
- Go to .The Application Control Criteria screen appears.
- Click Add Criteria and select
Allow.The Allow Criteria Settings screen appears.
- Type a unique Name for the criteria.
- Select the level of Trust permission for the
applications.PermissionDescriptionExample UseApplication cannot execute external processesApplications cannot access any external processes or start any other applicationsSelect this option for applications with a low trust level.Use when you want to allow standalone applications to run on endpoints but prevent access to other processesFor example, if
a.exeis the top level process that matches the rule andb.exeis the child process, then the system only allowsa.exeto execute.Application can execute other processesApplications can start external processes and applications that users are unable to access directlySelect this option for applications with a medium trust level.Use when you want to allow applications to run on endpoints and still allow access to required child processes or add-ons for the current session.For example, ifa.exeis the top level process that also loadsplugin.dllandb.exeis the child process, then the system allows botha.exeandb.exeto execute, and also loadsplugin.dll.Inheritable execution rights (not recommended)Applications can install and start external processes and applications, and the child applications can also install and start external processes and applicationsIn addition to having the same behavior as Application can execute other processes, the system stores the SHA1 values of the processes and automatically allows the processes to execute in subsequent matches.Select this option only for applications with a high trust level.Use when you want to allow installation packages to execute on the endpoint.Inheritable execution rights (not recommended) allows the installation package to perform all installation tasks and then also allows the installed application to run all required processes. - Select the Match method used to
identify applications and configure required settings.MethodDescriptionApplication Reputation ListAllows you to apply the criteria to applications that TrendAI™ has tested and assigned a security score forFor more information, see Application Reputation List.File pathsAllows you to apply the criteria to any application installed in the specified locationFor more information, see File Paths.CertificatesAllows you to apply the criteria to applications based on certificate validity and certificate attributesFor more information, see Certificates.Hash valuesAllows you to apply the criteria to applications based on SHA-1 or SHA-256 hash valuesFor more information, see Hash Values.Gray Software ListAllows you to include applications to the criteria that TrendAI™ has tested and found to be potentially harmfulThe Gray Software List is a subset of the Application Reputation List and contains applications that may be malicious if not used properly. TrendAI™ recommends blocking or monitoring applications in the Gray Software List to ensure that your network remains secure.
- Click Save.
