Application Control powered by AppSense

Ivanti Application Control is the new name for AppSense Application Manager

Product Architecture

In this section:

Architecture Diagram

Software Agent

Application Control is installed and run on endpoints using a lightweight agent. The agent is installed directly onto the local computer. Both agents and configurations are constructed as Windows Installer (MSI) packages and so can be distributed using any third party deployment system that supports the MSI format. The installers are delivered in separate 32-bit and 64-bit Microsoft Installer packages.

For Application Control to function, the agent must be installed on the client endpoint together with an associated configuration. The installation may be performed manually or by means of a deployment system such as the Management Center. Because agents and configurations are installed and stored locally on the endpoint, they continue to operate when the endpoint is disconnected or offline.

The Application Control agent installs a Windows Service (the Application Control Service), a filter driver, and a hook. The hook sits above the driver and intercepts all executables. It does not intercept DLLs, unlike the driver. If an executable is not intercepted by the hook it is intercepted by the driver.

The driver intercepts execution requests that are made within the operating system that pass from the I/O Manager to the drive and the device subsystems, for example NFTS.SYS or the LanMan Redirector for Microsoft Networking Services. The driver does not intercept ordinary file access such as the opening of a document or text file.

Every intercepted create process request is intercepted by the hook. When the request is intercepted by the hook, the request is passed on to the Application Control Agent Service for validation against the configuration settings, which returns an execution granted or denied response that is dealt with by the hook or driver, depending on which sent the request. If the response is granted, the request is passed on to the relevant file system driver to continue with the application loading from disk.

In the case of a denied executable or script, the agent replaces the original path with Application Control’s customizable message box (AMMessage). This effectively blocks access to the original requested executable and instead displays a message to the user. In the event of a DLL being blocked, no message is displayed and the default operating system message is displayed.

Agent Service

The Application Control Agent Service runs as a SYSTEM service on each computer that is controlled using the Application Control component. The agent provides the intelligence for dealing with the execution requests passed from the Application Control kernel level driver and the hook. Each and every execution request is validated against the configuration settings that are held on each local machine containing the Application Control agent software. Along with the details of the application request, the agent service checks who the user is and which computer the request originates from so that this can be processed at the same time to enable user, group, client, or custom rules to function as expected.

The configuration is stored in a local configuration file for performance and control reasons. This means that all requests can be turned around in minimum time and perhaps more importantly, without the need for a network link to a central server, which ensures that unconnected machines, such as laptops, remain secured even when not physically connected to the Local Area Network.

Agent Assist

Agent Assist provides support for the agent. Instances of Agent Assist are started on demand by the agent and run using the SYSTEM account. Each Agent Assist is specific to a user session. If Agent Assist is initiated, no more than one instance runs in a session. Once started, Agent Assist typically remains running until the session logs off or the agent is stopped.

Agent Assist does the following:

  • Enforces time limits on applications.
  • Prompts Self Authorizing Users to confirm whether to allow denied DLLs (applications are handled by Agent Assist).
  • Performs auditing for the events, 9006, 9007, 9017.
    • 9006 - Self-authorization decision by user.
    • 9007 - Self-authorized execution request.
    • 9017 - An application has been terminated by Application Control.
  • On 64-bit systems, Agent Assist can start the 32-bit DLL component that installs the 32-bit Application Hook into 32-bit applications running in the same user session.

DLL Injection Assist

DLL Injection Assist is a 32-bit component that is only installed on 64-bit systems. It is used solely by Agent Assist to install the 32-bit application hook into 32-bit applications running in the same user session.

Filter Drivers

The agent intercepts, then validates, all application execution requests against the configuration. It then either grants or denies access to the executable content. The agent also triggers auditing events that are collected by the AppSense Deployment Agent.

The driver only intercepts execution requests placed against the operating system because it is connected between the I/O Manager (in the Executive Services) and the actual device drivers for the file systems themselves (for example, NTFS.SYS, CDROM.SYS, or LanMan Redirector for Microsoft Networking Services). The driver does not intercept ordinary file access such as the opening of a text file, document, or presentation.

Every intercepted request is subsequently passed on to the Application Management Agent Service for validation against the current configuration. The Agent Service returns an allowed or denied response that is dealt with by the filter driver. If the response is allowed, the request is passed on to the relevant file system driver to continue with the application loading from disk. If the request is denied, the filter driver replaces the request with Application Control’s error-handling system, which is responsible for the display of a fully customized message box to the end user. This error handling effectively blocks access to the requested executable code by advising the originating process that all is successful, and the customized message box is displayed in place of the expected executable code. This prevents the operating system displaying a ’File not Found’ or ’Access Denied’ message.

The driver is a lightweight driver that filters file system requests for files, but not folders, with the Execute, Overwrite, and Rename permissions requests. The driver sends requests to the Application Control agent for authorization. Depending on the response from the agent, the driver allows, redirects, or denies the request.

When it redirects, the driver redirects to one of the Message Box applications. The driver only redirects as a fall back if the request is missed by the hook.

The filter driver can dynamically start but cannot be stopped without a reboot. This can be found in %systemdrive%\ProgramFiles\ApplicationManager\Agent\AmFilterInstall and is called

For more information on the Deployment Agent, see the Management Center Help.

Mini Filter Driver

The mini filter driver is a lightweight driver that filters file system requests for both files and folders on UNC paths, but not for local drives. The driver sends requests to the agent for authorization. Depending on the response from the agent, the driver allows or denies the request.

This can be found in %systemdrive%\Program

The mini filter driver can be dynamically started and stopped.

Application Hook

This is a DLL that is loaded into every user process.

The Application Hook sends create process and network requests to the agent for authorization. In the event of a blocked executable, the original request is replaced with a request for AMMessage. In the event of a blocked network request, access to the network resource is denied. If any token modification is required, as part of Privileges Management, an appropriate request is sent to the agent. The agent sends back a modified token, which is used to launch the requested process.

Where Application Network Access Control (ANAC) is concerned, because requests for network traffic is high, the results provided by the agent are cached in the memory of the application. This is essential to avoid a dramatic performance degradation to network traffic.

Browser Add-on

CascadeBHO.dll is an Application Control Browser Helper Object (BHO) loaded by Internet Explorer that is used as part of the URL Redirection and Elevated Web Sites features. If a configuration contains any of these types of rules, the Cascade BHO is enabled, and therefore loaded, by Internet Explorer. If there are no URL Redirection or Elevated Web Sites rules, the BHO is disabled.

The BHO is loaded by only Internet Explorer. A separate extension that provides the same functionality, AppSense Cascade, is loaded by Chrome. There is no equivalent for the Microsoft Edge browser.

Check the CascadeBHO.dll Status

  1. In Internet Explorer, select Tools >Manage add-ons.

    The Manage Add-ons dialog displays.

  2. In the Add-on Types panel, ensure Toolbars and Extensions  is selected.

    You can view the status of the add-ons in the pane on the right.

Configuration

AppSense Application Control configuration files (AAMP files) contain the rule settings for securing your system. The agent checks the configuration rules to determine the action to take when intercepting file execution requests.

Configurations are stored locally in the All Users profile and are protected by NTFS security. In standalone mode, configuration changes are written directly to the file system from the Application Control console. In Enterprise mode, configurations are stored in the Management Center database, and distributed in MSI format using the Management Center console.

Configurations can also be exported and imported to and from MSI file format using the Application Control console. This is useful for creating templates or distributing configurations using third party deployment systems.

After creating or modifying a configuration you must save the configuration (and deploy if necessary) to ensure that they are actioned.


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other