In this Section:
- About Message Settings
- Message Box Variables
- Configure Message Boxes Elements
- Message Style
- Access Denied
- Application Limits Exceeded
- Time Limits
- Network Connections
- Elevation Prompt
- UAC Replacement
- System Controls
About Message Settings
Message Settings are used to define how message boxes are displayed to users, and to specify the content of messages displayed when users attempt to launch applications in violation of a defined configuration.
Application Control message boxes can be customized to meet the requirements of an organization by specifying company colors, logos and fonts. More advanced styling can be achieved by using the Cascading Style Sheet (CSS), which is editable direct from the Message Style tab. Styling is applied to all the Application Control message boxes but the content of the messages can be amended individually.
The Message Settings dialog (available from the Global Settings ribbon) is used to configure settings for messages issued to users. You can set up messages for situations where access is denied, application limits have been exceeded, and for self-authorization. Time limits for application behavior can be specified with warning and denied messages.
Global Style update
The 2020.2 release of Application Control introduced a design update for default global styles. The new style uses a larger format to accommodate more detailed information; and the default messages no longer use a logo, instead they feature a color-coded banner:
Red = blocked item
Yellow = user prompt to authorize or block an item
Blue = self-elevation notifications or prompt
New configurations will use the new style message boxes by default.
Pre-existing configurations will continue to use the classic style message boxes until global style defaults are restored. See Restore Defaults below.
Message Box Variables
The message box can contain both user and system-wide environment
Environment variables are not expanded during testing. The following environment variables may be included:
|%ExecutableName%||The name of the denied application.|
|%FullPathName%||The full path of the denied application.|
|%DirectoryName%||The directory where the denied application is located.|
|%NetworkLocation%||The resolved IP address of the given host name.|
|%AC_Hash%||The file hash.|
|%AC_FileSize%||The size of the file.|
|%AC_ProductVersion%||The version of the product.|
|%AC_FileVersion%||The version of the file.|
|%AC_ProductName%||The name of the product.|
|%AC_CompanyName%||The name of the company.|
|%AC_Vendor%||The name of the certificate signer.|
|%AC_FileDescription%||The description of the file.|
|%AC_ParentProcess%||The name of the process that started it.|
|%AC_DecidingRule%||The name of the allow rule in the AC configuration.|
|%AC_FileOwner%||The owner of the file.|
|%AC_ClientName%||The name of the connecting device.|
|%AC_PortNumber%||The name of the network port, only if applicable. If the port number is not 0, it will be displayed at the end of the blocked IP address.|
Configure Message Box Elements
Note, the version of Application Control in use will determine the message elements available to configure. In earlier releases (2020.1 and earlier) message settings did not feature a Banner field, and used a default height and width value of 0, whereas now the Banner field is included, and height and width values require explicit values.
For each type of message, define the following:
- Caption - The text to display at the top of the message. For example, you can change the default caption, Application Control, so that the user is not aware that Application Control has intervened.
- Banner (2020.2 or later release only) - Enter the text to display in the colored banner.
To remove the colored banner from the message box simple clear this field so it remains empty.
- Message body - Enter the text to display in the body of the message.
Width - Specify the width of the message dialog. The width is measured in pixels and applies to all messages.
Prior to 2020.2 release the default value is 0. Post 2020.2 release the default value is 510.
Height - Specify the height of the message dialog. The height is measured in pixels and applies to all messages.
Prior to 2020.2 release the default value is 0. Post 2020.2 release the default value varies according to message purpose.
When configuring messages, consider the following:
- Environment variables are supported for the caption, banner and the message. Refer to the table above.
- When using hyperlinks in the message body, the full HREF attribute tag must be entered.
- If less-than or greater-than angle brackets are
to be displayed in the message body, use < and > respectively.
Select Click here to see how the message will appear to users to preview the message with the caption and body specified.
Application Control message boxes can be customized to meet the requirements of an organization by specifying company colors, logos and fonts. More advanced styling can be achieved by using the Cascading Style Sheet (CSS), which is editable direct from the Message Style tab. Styling is applied to all the Application Control message boxes but the content is managed for each message.
Define the required settings for all Application Control Message boxes:
- Font Style - Select the font type from the drop-down list.
- Font Size - Select the size of the font to be displayed. For specific font sizing, you can select the units by which the font is measured using the options available in the adjacent drop-down list.
- Font Color - Select the font color.
- Background Color - Select the background color of the message boxes.
- Logo - Click Select Logo to locate and select an image file on all Application Control message boxes. File sizes should be no larger than 100 kilobytes. Using logos may have an impact on the deployment of the configuration.
- Restore Defaults - Use Restore Defaults to undo any changes that have been applied to your message styles. For information on the options available, see Restore Defaults.
Use the Click here to see how the message will appear to users link to preview an example of how the message box will look when styles specified are applied.
This option applies (or re-applies) the current global style defaults to your message styles. It can be used to update older configurations to adopt the current default styles, and it can be used to revert (or undo) local changes that have been applied to your message styles.
Click the Restore Defaults button to open the Restore Global Style and Dialog Content dialog.
There are two options available:
- Restore the Application Control default message style and content - Select this option to restore both the CSS and the message wording to the default settings. When this option is selected, the CSS from the current Application Control installed location overwrites any existing customization.
- Restore the message style and content from the current saved configuration - Select this option to restore the message box styling and wording to the styles specified in the configuration.
This action will restore styles across all message boxes within Application Control, including Application Termination messages.
Use the Advanced button to edit the message box style directly using CSS. When this option is selected the Advanced dialog displays. The dialog contains a basic CSS Editor, options to import, export and restore a CSS are also available.
It is recommended that an experienced user modifies the CSS. Any changes
to styling will impact all Application Control message boxes.
CSS3 is not supported.
Click the Export button and select a location to save the CSS file. When exported, the CSS file can be edited using another CSS editor and then re-imported when the amendments have been made.
Click the Import button and select the CSS file to open and use. The styles specified in the imported CSS will automatically overwrite any existing styles. These styles will take immediate effect but will not be applied until you save a configuration.
Access to applications can be denied or restricted for a user. Denied and restricted Items are specified in the Group, User, Device, Custom, Scripted, and Process rules.
Configure the messages that display when a user attempts to access an application that has been denied or when a user has insufficient privileges.
For more information, see Rules.
Application Limits Exceeded
The Application Limits Exceeded message displays when the user is denied access to an application that has reached an application limit.
Configure the content and dimensions of the message that is displays when application limits are exceeded.
For more information, see Application Limits.
In Application Control, you can specify time limits for when applications can be accessed. For example, certain applications can be allowed to run only between 9 am and 5 pm, Monday to Friday. Two messages can be displayed:
- Warning Message: To inform the user that the time period is about to expire while the application is still running.
- Denied Message: To inform the user that they are attempting to run the application outside of the hours specified.
You can also specify whether the user is allowed to save their work before closing the application, or to just close the application upon the warning:
- Display an initial warning message - Select to display an initial warning message to the user when an application has exceeded time limits. Typically, this gives the user time to save their work and close the application. Use in conjunction with the Close application and Terminate application options. If you do not use this in conjunction with these options, only a message is displayed and application does not close.
- Close the application - Select to send a close message to the application. When most applications receive a close message they automatically give the user a chance to save their work. Select along with the Display an initial warning message option.
- Terminate the application - Terminate the application without allowing the user to save their work. Typically, this is used after the application has been sent a close message but has failed to terminate. Choose to select the Display an initial warning message or not, the application will terminate regardless.
- Wait - Specify the number of seconds to wait between each of the selected termination options. For example, if the user selects all three of the termination options and then selects 20 seconds, the warning message will be displayed, followed 20 seconds later by the close message and finally the application terminates after a further 20 seconds.
Configure the content and dimensions of the message that displays when time limits are exceeded.
Self-Authorization is a security level within Application Control. Some applications require self-authorization by a user before they are allowed to run. You can specify the message displayed for both the initial message and the response. The self-authorization message displays when a self-authorizing user attempts to run a denied application and the file requires a user decision to run. The Response message displays when a self-authorizing user allows a DLL file that another application uses and the application may need to be restarted.
Configure the message that displays when self-authorization is required and the message that displays when an application has been authorized.
For more information, see Security Level.
The Network Connections message displays when a connection is blocked. Configure the following settings to determine the action taken when a network connection is blocked:
Display a warning message for blocked network connections - Displays a message box for all blocked network connections. This option is enabled by default.
Selecting this option enables further settings and allows you to configure the content and dimensions of the connection denied message.
- Display a warning on every connection attempt - Displays a warning message every time a connection is attempted.
- Display a warning message once - Displays a message only on the first attempt per application within the same session.
- Wait ... seconds between messages - Specifies the number of seconds to wait before a new message is issued. Only one message displays per application within the specified period. No message displays for any subsequent attempts within the same period.
For more information, see Application Network Access Control.
Configure the content and dimensions of the message that displays when a user requests self-elevation.
The messages are displayed if the Display a message box requiring a reason for Self-Elevation from the user option is selected in the Self-Elevation options.
- In the Global Settings ribbon, select Message Settings.
- Select the Self-Elevation tab.
In the Name field, enter the text to display for the self-elevation shortcut menu option.
The menu option is displayed when a user right-clicks a file with an extension on the Self-Elevation file associations list.
- Configure the caption, content, and dimensions for the message that displays when a user requests self-elevation.
- Click OK.
Rule items can be configured to prompt the user before elevating application privilege. The prompt can also require the user to supply a reason for the elevation. You can specify the message displayed for both the initial message and the response.
The message displays when a user attempts to run an item where an elevation prompt is configured and a matched rule applies. For more information, see Rule Items.
The UAC Replacement message displays when UAC Replacement is enabled and an application has requested administrative privileges.
Configure the content and dimensions of the message that is displays when elevated rights are requested.
For more information, see UAC Replacement.
System Controls are used to prevent users from:
- Stopping named services
- Clearing event logs
- Uninstalling or modifying specific applications
A message is displayed when uninstall of a program is restricted or when an event log cannot be cleared.
Configure the content and dimensions of the message that displays for both messages.
For more information, see System Controls.