In this section:
Archiving is an optional function that allows you to copy any denied executables into a secure folder. When a user attempts to run an unauthorized executable, or an executable specified in the prohibited items list, Application Control can take a copy of each application that attempted to execute and place them in a secured file system or archive. This information can be used by an administrator to inspect the kinds of executable content that Application Control has blocked.
Blocked applications can often be files with false names such as winword.exe. The name alone does not tell the administrator much because these are typically other executables that have been simply renamed in an attempt by the user to get the application to run on the computer. Because Application Control takes a complete copy of each executable, the administrator can accurately assess each application and what impact they would have on the enterprise had they been allowed to run.
It is recommended that archived executables are checked in a secure environment to minimize the threat from viruses and malware.
Enable archiving by selecting Enable Archiving in the Archiving Settings dialog, which you access via the Global Settings ribbon.
Use the Global Properties tab in the Archiving Settings dialog to control what is archived and to define the maximum or minimum size of the archives, by selecting one or more of the following:
- Do not archive administrator owned files - Select to prevent Application Control from adding administrator-owned files to the archive. An example of a use case for this is when a user tries to execute regedit.exe and is blocked by the Application Control agent. It is unlikely you would require an archive of this file. However, it is useful to archive when the user attempts to execute their own copy of regedit.exe to determine what the application is and what effect it could have on the enterprise if it were to execute.
- Do not archive if the file already exists - Select to prevent Application Control from adding files to the archive that already exist in the archive, especially if the archive resides on the network. Duplicate entries are not created when this option is deselected. The existing archive entry is overwritten. This helps to save space, although it may result in inaccurate archiving as only one copy of an executable with the same name is ever retained.
- Enable anonymous archiving - Select to prevent Application Control from adding any user names to the archive. For example, if a user runs a downloaded file from the $Home drive, the owner of the file is that user and also the archived filename contains the user’s name as part of the path from which it was executed. If Anonymous archiving is selected, the owner of the file is changed to SYSTEM and any references to the user name are replaced with anonymous.
- Maximum archive size for all users combined - The maximum size in MB that combined users are allowed to reach before files are overwritten. A limit setting of zero (0) is interpreted as no limit.
- Maximum archive size per-user - The maximum size in MB that a single user archive is allowed to reach before files are overwritten. For example, if an archive path is specified as C:\archive\%username%, every user on the system has a separate archive under the C:\archive directory. It is this user archive that is subject to the user limit. The User Limit should not exceed the Total Limit. A limit setting of zero (0) is interpreted as no limit.
Use the File Options tab to specify file size thresholds and preservation behavior what is archived and to define the maximum or minimum size of the archives by selecting one or more of the following:
Only archive files smaller than - Limits the size of the files that are copied to the archive. This is particularly useful if a network archive is specified because copying large files to a network location is a potentially time consuming operation.
When a user’s archive is full allow the oldest files to be overwritten - Select to allow Application Control to overwrite the oldest files in the archive in cases where the archive size has reached either the Total limit or the User limit. This is an easy way to ensure that the enterprise captures the most up-to-date information without using large amounts of data space for unauthorized applications.
Use the folders tab to specify a list of folders that can be used for archiving purposes, each of the folders can then be used to store backups.
The default location to place all archived files into is:
This places all archived files for a specific user in the same folder and the folder is named after the user making it easier to manage.
- Archive Folder - The list of folder paths to which archive files are copied. Archiving attempts to write to the first listed folder, if unsuccessful an attempt is made to archive to the next folder, if there is one in the list. This process continues until the folder list is empty or the archive action succeeds.
- Move Up - Moves the selected archive up the list of available archives. The order of the archive list is important as Application Control attempts to copy the file to the first archive in the list. If this copy fails, Application Control continues to make attempts to copy the file to the next archive location until it is successful.
- Move Down - Moves the selected archive down the list of available archives. The order of the archive list is important as Application Control attempts to copy the file to the first archive in the list. If this copy fails, Application Control continues to make attempts to copy the file to the next archive location until it is successful.
- Add Folder - Add an archive location to the list. The archive may contain environment variables. For example, %SYSTEMDRIVE%\Archive\%USERNAME% is expanded when Application Control attempts to archive the file. Each user has a personal archive.
- Delete Folder - Deletes the selected folder.
- Browse - Browse to the location where you want the archive to exist.