You can enable application control for computers running Deep Security Agent 10.0 or higher. For a list of operating systems where application control is supported, see Supported features by platform.
Application control continuously monitors for software changes on your protected servers. Based on your policy configuration, application control either prevents unauthorized software from running until it is explicitly allowed, or allows unauthorized software until it is explicitly blocked. Which option you choose depends on the level of control you want over your environment.
Application control continuously monitors your server and logs an event whenever a software change occurs. It is not intended for environments with self-changing software or that normally creates executables, such as some web or mail servers. To ensure Application Control is appropriate for your environment, check What does application control detect as a software change?.
You can automate Application Control creation and configuration using the Deep Security API. For more information, see the Configure Application Control guide in the Deep Security Automation Center.
Targeted protection state: One of the main decisions you need to make when setting up application control is deciding your targeted protection state. Do you want to prevent all new or changed software from running, unless you manually specify that it is allowed? Or do you want it to run by default unless you specifically block it? One approach is to initially allow unrecognized software to run when you first enable application control and there's a lot of unrecognized software. As you add application control rules and the volume of unrecognized software decreases, you could switch to block mode.
Application control rule: Rules specify whether software is allowed or blocked on a particular computer.
Inventory: Initial list of software that is installed on the computer and allowed to run. Make sure only software that you want to allow is installed on the computer. When you enable application control, all currently installed software is added to the computer's inventory and allowed to run. When a computer is in maintenance mode, any software changes made to the computer are added to the computer's inventory and allowed to run. A computer's software inventory is stored on the Deep Security Agent and is not displayed in Deep Security Manager.
Unrecognized software: Software that isn't in a computer's inventory and isn't already covered by an application control rule. See What does application control detect as a software change?
Maintenance mode: If you are planning to install or update software, we strongly advise that you turn on maintenance mode. In maintenance mode, application control continues to block software that is specifically blocked by an Application Control rule, but allows new or updated software to run and adds it to the computer's inventory. See Turn on maintenance mode when making planned changes.
To improve overall system security, the inventory does not include software on remote file systems, and maintenance mode does not automatically allow new or updated software from remote file systems. Software on remote file systems must be added to the inventory manually.
There are a few places in Deep Security Manager where you can see changes related to application control:
The Application Control: Software Changes page is displayed when you click Actions in Deep Security Manager. It displays all unrecognized software (software that isn't in a computer's inventory and doesn't have a corresponding application control rule). Software changes are allowed or blocked at the computer level, so if a particular piece of software is installed on fifty computers, it will appear on that page fifty times. However, if you know that a certain piece of software should be allowed or blocked everywhere, you can filter the Actions page to sort the changes by file hash and then click Allow All to allow it on all computers where the software is installed.
The policy applied to a computer specifies whether it will allow all unrecognized software to run by default, or block all unrecognized software, but no explicit application control rule is created until you click "Allow" or "Block" on the Actions page. When you click Allow or Block, a corresponding rule appears in the ruleset for the computer. The rulesets are displayed on the Application Control Rulesets page.
To see the ruleset for a computer, go to Policies > Common Objects > Rules > Application Control Rulesets . To see which rules are part of a ruleset, double-click the ruleset and go to the Rules tab. The Rules tab displays the pieces of software that have rules associated with them and enables you to change allow rules to block, and vice versa.
Events & Reports > Events > Application Control Events > Security Events displays all unrecognized software that either has been run on a computer or has been prevented from running by a block rule. You can filter this list by time period and other criteria.
For each event (except aggregated events), you can click View rules to change the rule from Allow to Block or vice versa. Deep Security Agent 10.2 or later includes event aggregation logic to reduce the volume of logs when the same event occurs repeatedly.
Unlike integrity monitoring, which monitors any file, application control looks only for software files when examining the initial installation and monitoring for change.
Software can be:
For example, WordPress and its plug-ins, Apache, IIS, nginx, Adobe Acrobat, app.war, and /usr/bin/ssh would all be detected as software.
Application control checks a file's extension to determine whether it's a script. Additionally, on Linux, application control treats any file with execute permissions as if it's a script.
On Windows computers, application control tracks changes on the local file system, but not on network locations, CD or DVD drives, or USB devices.
Application control is integrated with the kernel (on Linux computers) and file system, so it has permissions to monitor the whole computer, including software installed by root or administrator accounts. The agent watches for disk write activity on software files, and for attempts to execute software.
To determine whether software is new or has changed, Deep Security 10 agents compare the file with the initially installed software's SHA-256 hash, file size, path, and file name (they have a "file-based" ruleset). Deep Security 11 (and newer) agents compare only the file's SHA-256 hash and file size (they have a "hash-based" ruleset). Because the rules created by Deep Security 11 (and newer) agents compare only the unique hash and file size, a rule will continue to be applied even if the software file is renamed or moved. As a result, using Deep Security 11 (and newer) agents reduces the number of software changes that you need to deal with.
A Deep Security 10 agent continues to use a file-based ruleset until it is upgraded to Deep Security 11.0 or newer. When you upgrade an agent to version 11.0 or newer, its ruleset is converted to use hash-based rules. If there are multiple file-based rules for the same hash value, they are consolidated into one hash-based rule. If the rules being consolidated conflict with each other (one rule blocks the file and another allows it), the new hash-based rule will be an "allow" rule.
© 2024 Trend Micro Incorporated. All rights reserved.