<< PREVIOUS  NEXT >>

 

CREATE POLICY

  1. Navigate to Host Security > App Control Policies in the left navigation page

    Picture 1073742165

  2. Click ADD APP CONTROL POLICY

    Picture 291

  3. Provide the Policy Name and Comment (Optional)

    Picture 1073742176

  4. For each of the Interpreters on the installed OS, specific App Control configurations can be defined. Click ADD APP CONTROL RULE

    Picture 1073742186

  5. Add App Control Configuration

     

    AppControl Policy configuration consists of four key sections

    1. The first section defines the rule's name, the binary application for which the rule needs to be created and whether that binary is blocked. The application name field accepts regex inputs with a scope limited to a specific path

      Picture 1073742187

      1. Block unless allowlisted checkbox blocks the binary under all circumstances (unless there are some specific patterns allowed in the next section)

        Field Name

        Details/Examples

        Name

        Name of the Script Configuration

        Description

        A short description of the configuration

        Create Configuration using

        Select an existing Script Configuration that can be used to prepopulate the form

        Application

        Executable file name of this interpreter configuration that will be associated with configuration. The value can be a full name or a partial name or a full path or a partial path or hash or a regular expression

        Block unless Allowlisted

        Select the checkbox to prevent the application from executing under all circumstances. Any following rules for this interpreter become irrelevant. Ensure that the interpreter is not allowlisted as allowlist rules take precedence over this setting

        Table - ACP – Section 1

         

    2. The file-based configuration defines what kind of files (extensions) are monitored for file-based execution of binary applications that are also interpreters. Signed scripts are all allowed by default

      Picture 1073742187

      Field Name

      Details/Examples

      File Based Execution Rules - Specify file association and file execution rules for this application

      Scan Criteria

       

      The list of extensions specified here are only used during the reference host scan workflow for the purposes of generating the initial allowlist

      Table - ACP – Section 2

       

    3. File-less configuration defines the command-line, users or parent processes that are allowed or disallowed for the binary application in the scope. This is typically the most used configuration

      Picture 1073742187

      Field Name

      Details/Examples

      File-less Pre Execution Rules - Specify rules for command line execution without any files. Disabling this setting allows any or all command line executions

      Command Line

      Enable – Once enabled, provide the Match Type (Matches, Does not Match), regex pattern for command line execution and relevant description. It provides control on which processes can spawn the interpreter. Provide the actual file path and NOT its symbolic link (For linux). Provide only the pattern. Do not prefix -" to it

      Disable – No check for the command line is performed

      Parent Process Control

      Enable – Once enabled, provide the Match Type (Matches, Does not Match), regex pattern for the parental process and relevant description. It provides a control on which processes can spawn the interpreter. The value can be a full name/partial name/full path/partial path/hash/regular expression.

      Disable – No check is performed on the parent process invoking the configured script. Any process can launch the interpreter

      User Access Control

      Enable – Once enabled, provide the Match Type (Matches, Does not Match) and relevant user names. User should be the exact match for the username. For Windows, it is case-insensitive.

      Disable - No check is performed on the user invoking the configured script

      Table - ACP – Section 3

       

    4. Dynamic Execution Rule configuration allows or blocks spawning of any child process

      Picture 1073742187

      Field Name

      Details/Examples

      Dynamic Execution Rules

      Launch Process

      Allow – Allow the script to launch processes

      Block – Block the script from launching processes

      Table - ACP – Section 4

       

    5. Click SAVE

  NOTE:

  • Use a proper regex expression to specifically target the expected process AND EXCLUDE unwanted processes

  • All configurations defined in ACP rules are mutually exclusive and are not related to each other. This means that the command-line config, user-based config, parent-process config etc are not tied to each other. They act independently

  • For a particular configuration type, the user can define either an allow rule or a deny rule

  • For "Block Unless Allowlisted" binaries, file-less config has ability to configure allow rules

 

<< PREVIOUS  NEXT >>