CREATE POLICY
-
Navigate to Host Security > App Control Policies in the left navigation page
-
Click ADD APP CONTROL POLICY
-
Provide the Policy Name and Comment (Optional)
-
For each of the Interpreters on the installed OS, specific App Control configurations can be defined. Click ADD APP CONTROL RULE
-
Add App Control Configuration
AppControl Policy configuration consists of four key sections
-
The first section defines the rule's name, the binary application for which the rule needs to be created and whether that binary is blocked. The application name field accepts regex inputs with a scope limited to a specific path
-
Block unless allowlisted checkbox blocks the binary under all circumstances (unless there are some specific patterns allowed in the next section)
Field Name
Details/Examples
Name
Name of the Script Configuration
Description
A short description of the configuration
Create Configuration using
Select an existing Script Configuration that can be used to prepopulate the form
Application
Executable file name of this interpreter configuration that will be associated with configuration. The value can be a full name or a partial name or a full path or a partial path or hash or a regular expression
Block unless Allowlisted
Select the checkbox to prevent the application from executing under all circumstances. Any following rules for this interpreter become irrelevant. Ensure that the interpreter is not allowlisted as allowlist rules take precedence over this setting
Table - ACP – Section 1
-
-
The file-based configuration defines what kind of files (extensions) are monitored for file-based execution of binary applications that are also interpreters. Signed scripts are all allowed by default
Field Name
Details/Examples
File Based Execution Rules - Specify file association and file execution rules for this application
Scan Criteria
The list of extensions specified here are only used during the reference host scan workflow for the purposes of generating the initial allowlist
Table - ACP – Section 2
-
File-less configuration defines the command-line, users or parent processes that are allowed or disallowed for the binary application in the scope. This is typically the most used configuration
Field Name
Details/Examples
File-less Pre Execution Rules - Specify rules for command line execution without any files. Disabling this setting allows any or all command line executions
Command Line
Enable – Once enabled, provide the Match Type (Matches, Does not Match), regex pattern for command line execution and relevant description. It provides control on which processes can spawn the interpreter. Provide the actual file path and NOT its symbolic link (For linux). Provide only the pattern. Do not prefix -" to it
Disable – No check for the command line is performed
Parent Process Control
Enable – Once enabled, provide the Match Type (Matches, Does not Match), regex pattern for the parental process and relevant description. It provides a control on which processes can spawn the interpreter. The value can be a full name/partial name/full path/partial path/hash/regular expression.
Disable – No check is performed on the parent process invoking the configured script. Any process can launch the interpreter
User Access Control
Enable – Once enabled, provide the Match Type (Matches, Does not Match) and relevant user names. User should be the exact match for the username. For Windows, it is case-insensitive.
Disable - No check is performed on the user invoking the configured script
Table - ACP – Section 3
-
Dynamic Execution Rule configuration allows or blocks spawning of any child process
Field Name
Details/Examples
Dynamic Execution Rules
Launch Process
Allow – Allow the script to launch processes
Block – Block the script from launching processes
Table - ACP – Section 4
-
Click SAVE
-
NOTE:
-
Use a proper regex expression to specifically target the expected process AND EXCLUDE unwanted processes
-
(VSP 2.5.0 only and not for subsequent patches) All configurations defined in ACP rules are mutually exclusive and are not related to each other. This means that the command-line config, user-based config, parent-process config etc are not tied to each other. They act independently
-
For a particular configuration type, the user can define either an allow rule or a deny rule
-
For "Block Unless Allowlisted" binaries, file-less config has ability to configure allow rules