1. Navigate to Manage > Host > App Control Policies in the left navigation page

    Picture 1073742165


    Picture 291

  3. Provide the Policy Name and Comment (Optional)

    Picture 1073742176

  4. For each of the Interpreters on the installed OS, specific App Control configurations can be defined. Click ADD APP CONTROL RULE

    Picture 1073742186

  5. Add App Control Configuration


    AppControl Policy configuration consists of four key sections

    1. The first section defines the rule's name, the binary application for which the rule needs to be created and whether that binary is blocked. The application name field accepts regex inputs with a scope limited to a specific path

      Picture 1073742187

      1. Block unless allowed checkbox blocks the binary under all circumstances (unless Allow rules are created under File-Less section as described in the next section)

        Field Name



        Name of the Script Configuration


        A short description of the configuration

        Create Configuration using

        Select an existing Script Configuration that can be used to prepopulate the form


        Executable file name of this interpreter configuration that will be associated with configuration. The value can be a full name or a partial name or a full path or a partial path or hash or a regular expression. along with the Application name, the hash value is also considered during process execution

        Block unless Allowed

        Select the checkbox to prevent the application from executing under all circumstances. Any following rules for this interpreter become irrelevant. Ensure that the interpreter is not allowlisted as allowlist rules take precedence over this setting

        Table - ACP – Section 1


    2. The file-based configuration defines what kind of files (extensions) are monitored for file-based execution of binary applications that are also interpreters. Signed scripts are all allowed by default

      Picture 1073742187

      Field Name


      File Based Execution Rules - Specify file association and file execution rules for this application

      Scan Criteria


      The list of extensions specified here are only used during the reference host scan workflow for the purposes of generating the initial allowlist

      Table - ACP – Section 2


    3. File-less configuration defines the command-line, users or parent processes that are allowed or disallowed for the binary application in the scope. This is typically the most used configuration

      Picture 1073742187

      Field Name


      File-less Pre Execution Rules - Specify rules for command line execution without any files. Disabling this setting allows any or all command line executions

      Command Line

      Enable – Once enabled, provide the Match Type (Matches, Does not Match), regex pattern for command line execution and relevant description. It provides control on which processes can spawn the interpreter. Provide the actual file path and NOT its symbolic link (For linux). Provide only the pattern. Do not prefix -" to it

      Disable – No check for the command line is performed

      Parent Process Control

      Enable – Once enabled, provide the Match Type (Matches, Does not Match), regex pattern for the parental process and relevant description. It provides a control on which processes can spawn the interpreter. The value can be a full name/partial name/full path/partial path/hash/regular expression.

      Disable – No check is performed on the parent process invoking the configured script. Any process can launch the interpreter

      User Access Control

      Enable – Once enabled, provide the Match Type (Matches, Does not Match) and relevant user names. User should be the exact match for the username. For Windows, it is case-insensitive.

      Disable - No check is performed on the user invoking the configured script

      Table - ACP – Section 3


    4. Dynamic Execution Rule configuration allows or blocks spawning of any child process

      Picture 1073742187

      Field Name


      Dynamic Execution Rules

      Launch Process

      Allow – Allow the script to launch processes

      Block – Block the script from launching processes

      Table - ACP – Section 4


    5. Click SAVE


    • Use a proper regex expression to specifically target the expected process AND EXCLUDE unwanted processes

    • For a particular configuration type, the user can define either an allow rule or a deny rule

    • For "Block Unless Allowed" binaries, file-less config has ability to configure allow rules

    • During ACP scan, scripts are also discovered along with the binary files

    • ACP rules are applied based on the hash values, along with the file names

    • When a combination of rules are configured - File Based, i.e., commandline, user based and parent process - Allow Rules take more precedence over Deny Rules

    • ACP takes precedence over the allowlist: A process can be allowlisted manually, as a part of scan or it is a safe process. It can be blocked ACP for the given process is attached

  6. To modify the allowlist for scripts, follow the below steps:

    1. On the Host Monitoring page, expand the profile and click Edit Allowlist

      image 175

    2. Click the link Total Allowlisted Libraries/Scripts on the pop-up window

      Picture 183

    3. Modify the allowlist as required

      Picture 164