Advanced Settings

Advanced Settings are accessed from the Manage ribbon and allow you to assign global settings to the Application Control Configuration file. Specify the required global components using the Policy Settings and Custom Settings tabs.

In this section:

Policy Settings

Application Control Policy Settings are available in the Advanced Settings dialog and provide general Application Control settings to apply to all application and process execution requests.

General Features

Option Description
Make local drives allowed by default The configuration default for local drives is a blocklist, meaning that everything on the local drive is allowed unless it fails trusted ownership checking or is specified in a Denied Items list . Deselect this option to make the configuration a allowlist, so that everything on the local drive is blocked unless it is specified in an Allowed Items list.
Allow cmd.exe for batch files It is expected that administrators explicitly prohibit cmd.exe in their Application Managers configuration. When cmd.exe is denied and 'Allow cmd.exe for batch files' is disabled, batch files will be evaluated and blocked if they fail the Application Managers policy. If the option is not selected and cmd.exe is explicitly denied, all batch files are blocked, they aren't even evaluated. If this option is selected and cmd is explicitly denied, cmd.exe still can't be run on its own, but batch files are evaluated against Application Control rules. If cmd.exe is not explicitly denied, all batch files run no matter whether this option is ticked or not.
Ignore restrictions during logon During logon the computer may execute a number of essential applications. Blocking these can cause the computer to function incorrectly, or not at all. Hence, this option is selected by default.
Extract self-extracting ZIP files A self-extracting file is an executable that contains a ZIP file and a small program to extract it. These files are sometimes used as an alternative to installing an application by an MSI file. A number of administrators prefer applications to only be installed by an MSI file.

Only self-extracting EXEs formatted using the ZIP specification are supported. For additional information, see ZIP Specifications

The Extract self-extracting ZIP files option allows a denied executable file, which is a self-extracting ZIP file, to be extracted by the ZIP Extractor. If this option is deselected (the default setting) the file is subject to the normal rule processing as though it is an executable file. Once the contents have been extracted, any executable content it contains is still subject to the normal Trusted Ownership checks and is prevented from executing if the user is not a Trusted Owner. This is useful for scenarios where the self-extracting ZIP file may contain non-executable content such as a document that the user requires. By default, this option is deselected, and the self-extracting ZIP file is treated as a standard executable and can be prevented from executing (and hence extracting its contents) subject to the normal rule processing.
Ignore Restrictions during Active Setup By default, all applications which run during Active Setup are subject to Application Control rules. Select this option to make these applications exempt from rules checks during Active Setup phase.
Use Signature Rules only to allow files on removable media Select this option (default setting) to remove the global restrictions on removable media and switch to Signature Rules for governance. Removable media is whatever the call to GetDriveType determines it to be. Due to the nature of removable media, the drive letter may change depending on how an endpoint is setup. For example: On one computer the removable media drive may be identified as the E: drive and on another F:

When this setting is enabled, a file on removable media can only be allowed with a Signature Rule.

When this setting is disabled, file ownership is not taken into account and files on removable media will not be trusted regardless of ownership. To allow this type of file under these conditions, select Options > Allow file to run even if it is not owned by a Trusted Owner.

Deny files on network shares The configuration default for network shares is a allowlist, meaning that everything on the network share is denied unless it is specified in an Allowed Items list. Deselect this option to make the configuration a blocklist, so that everything on the network share is allowed unless it fails trusted ownership checking or is specified in a Denied Items list.

Validation

Option Description
Validate System processes Select this option to validate any files executed by the system user. Note that it is not recommended to select this option as it increases the amount of validation occurring on the endpoint computer and can block crucial applications from running. Selecting this option means all executables launched by the system are subject to rule validation.
Validate WSH (Windows Script Host) scripts Selecting this option specifies that the command line contents of scripts ran using wscript or cscript are subject to rule validation.

Scripts can introduce viruses and malicious code. It is recommended to validate WSH scripts.

Validate MSI (Windows Installer) packages MSI files are the standard method of installing Windows applications. It is recommended that the user is not allowed to freely install MSI applications. Selecting this option means all MSIs are subject to rule validation. Deselecting this option means that only the Windows installer itself, msiexec.exe, is validated by the Application Control rule processing, and not the MSI file that it is trying to run.
Validate Registry files Select this option to enable rule validation for regedit.exe and regini.exe. Deselecting this option means that the regedit.exe and regini.exe, is no longer blocked by default. Additionally, the .reg script, the regedit.exe and regini.exe it is trying to run is no longer validated by Application Control rules processing.

It is not recommended to allow users to access the registry or registry files.

Validate PowerShell scripts When enabled, this setting denies powershell.exe and powershell_ise.exe. However, if a PowerShell script (PS1 file) is found on the command line, then, it is subjected to a full rules check to see if it is configured for elevation, allowed, or denied.
Block -Command For security purposes, when enabled (default condition in new configurations), any PowerShell command lines that includes -command will be blocked. To shift to a different security level, any admin needs to uncheck this option.

When running a PowerShell script from Explorer, by right-clicking a ps1 file and selecting Run with PowerShell, Explorer will add -command automatically to query the current Execution Policy and prompt the user asking them if they want to change it.

For Application Control to evaluate ps1 files run via Explorer’s right-click menu item Run with PowerShell, and not just block them, disable the Block -Command option.

Please see the Ivanti Community article Validate PowerShell scripts does not work if the command line contains "-command" for further details. You will need to log into Ivanti Community to access.

Be aware that when unchecked, any ps1 trusted file can be modified with malicious code inserted via a -command argument and will run because the file, itself, is trusted.

Validate Java archives When enabled, this setting denies java.exe and javaw.exe. However, if a Java archive (JAR file) is found on the command line, then, it is subjected to a full rules check to see if it is allowed or denied.

Functionality

Option Description
Enable Application Access Control Select to enable Application Access Control. Deselect to not validate or block executables.
Enable Application Network Access Control Select to enable the Application Network Access Control feature. Deselect to not validate or block outbound network connections.
Enable User Privilege Management Select to enable the User Privilege Management feature. Deselect to not apply any User Privilege policies. Disabling this option allows all applications to run with the permissions and privileges provided by default, by operating system. Application Control ignores anything in the User Privileges section of the rules and will not change or alter any of the user's privileges.
Enable URL Redirection Select to enable the URL Redirection feature. If you deselect this option, configured redirections are ignored and users are not redirected when they enter a suspicious or unwanted URL. Any URL allows you have configured will also not execute. Deselecting this option has the same effect as having no items in the Browser Control policy set and selecting this feature. When you disable this feature the browser extensions are disabled. See also Browser Control.

Signatures

Option Description
Algorithm Select the algorithm type. There are three options available:

SHA1

SHA256

Adler3

For more information, see Signature Hashing.

Custom Settings

Custom Settings allow you to configure additional settings which will be applied on managed endpoints when an Application Control configuration is deployed. If a new configuration is deployed that contains new custom settings, any pre-existing custom settings in place on the end point will be deleted.

Manage Custom Settings

  1. Open a configuration in the Application Control Console and navigate to the Manage ribbon.
  2. Click Advanced Settings and select the Custom Settings tab.

    The Configure Advanced Settings dialog displays.

  3. Select the Custom Settings tab and click Add to display the list of advanced settings.
  4. Select the settings you want to configure and click OK.

  5. The selected settings are added to the Configure Advanced Settings dialog.

    Settings which are added will be configured on the endpoint. However, any setting which already exists on an endpoint will be used.

  6. Set the values as required.
  7. Click OK.

The settings are applied when the configuration is deployed to your managed endpoints.

Available Custom Settings

Additional Engineering Key - GroupSidRefresh

Application Control requires the Security Identifier (SID) of all Group Rules to successfully perform rule matching. With this engineering key set, the agent will resolve the SID of the Group Rule at runtime whilst the endpoint is online and write it back into the Configuration (AAMP file). This can be useful if the endpoint is subsequently used offline as the SID stored in the configuration will be used.

The Application Control Console will resolve the SID if possible when the configuration is saved. This setting is only needed if the console could not perform the group SID lookup.

Settings

HKLM\Software\Appsense Technologies\Application Control\Engineering

Name

GroupSidRefresh

Type

String (REG_SZ)

Parameters

0 - Off

1 - only resolve groups that currently have no SID values

2 - resolve all group SIDs –useful if the domain is specified by an environment variable so t is subject to change.

Self-Elevation File Associations

Related topics