Endpoint Analysis

In this section:

About Endpoint Analysis

Endpoint Analysis (EPA) allows you to scan single or multiple endpoints, to provide a list of applications that are present and that have run on a particular computer. Endpoint Analysis helps to simplify the creation of an appropriate Application Control configuration. This feature is used on demand and is inactive by default.  There are two ways to analyze the data on endpoints with the Application Control Agent installed:

  • Endpoint Scans - Endpoint Analysis files for a given endpoint are stored on the computer that has the Application Control console installed under the following location:

    C:\ProgramData\AppSense\Application Manager\EndpointAnalysis.

    The Endpoint Scan searches the endpoint for any applications that are present. These applications may have been officially installed by an administrator, or be an esoteric piece of virus-ridden freeware installed by an unsuspecting end user.

    The following directory and registry locations are scanned:

    • HKLM\SOFTWARE\Microsoft\Windows\Current\CurrentVersion\Installer\Folders
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • Program Files
  • Application Usage Scans - The Application Usage Scan is used to detect all applications in use on an endpoint. When an Application Usage Scan is in progress, all execute requests are passed through for Endpoint Analysis processing once the standard Application Control rules checking has been performed on that request. The details of requests are held in memory. When the scan is stopped, all the request data is saved to file.

    If the endpoint is rebooted while a scan is in progress, for example, if a user takes their laptop from the workplace and switches it on at home, the Endpoint Analysis runtime detects that it should be recording application usage and restarts the recording. This is done on agent startup.

    An Endpoint Scan can take several minutes. The reason for this is that Application Control not only scans the Program Files folder and the registry keys, but also each dependent file and digital signatures. Application Control records all this information.

    During an Endpoint Scan, 100% of the CPU on the endpoint can be used. However, if user tasks need to be performed, the Application Control agent uses built-in smart scheduling technology to allow tasks to take precedence over the scan itself, so the end-user perception of performance is unaffected.

Typically, the Endpoint Scan is run first to determine which applications are installed on the endpoint. This can be followed by the Application Usage Scan to track the applications that have been run on an endpoint over a period of time. By highlighting which applications are being used and which are not, unlicensed software can be identified and restricted and unlicensed software can be removed. Before either scan is run, endpoints must be specified in the Endpoint Analysis tree.

Endpoint Analysis Preparation

For Endpoint Analysis to function the following must be installed:

  • Application Control agent installed on the endpoint.
  • License installed on the endpoint.
  • Application Control configuration installed on the endpoint.
  • Administrative share rights to the endpoint.
  • Remote registry access to the endpoint.

Test that the Agent is Installed on the Endpoint

  1. On the Start menu select Control Panel.
  2. Select Administrative Tools.
  3. Double-click Services.
  4. Locate the Application Control Agent.

Test that the License is Installed on the Endpoint

  1. Launch the Registry Editor on the managed endpoint.
  2. Locate the license under HKLM\Software\AppSense Technologies\Licensing.

Test that the Configuration is Installed on the Endpoint

Configurations are stored in the following location: C:\ProgramData\AppSense\ApplicationManager\Configuration.

ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.

Test that the Endpoint has Admin Share Rights

  1. Open Windows Explorer on the computer that has the Application Control console installed.
  2. In the Address bar enter \\<computername>\c$ and press Enter. If you can browse the folders, you have access rights. If not, you are prompted for user credentials that allow access.

Test that Remote Registry Access is Available

  1. Open the Registry Editor on the computer that has the Application Control console installed.
  2. Select File > Connect Network Registry.
  3. The Select Computer dialog is displayed.
  4. Locate the computer and click OK. If you can see the registry keys, you have access.

    On remote computers running Windows 7 and above, File Sharing and Remote Registry Service are disabled by default and must be enabled.

  5. Turn on File Sharing in Start > Control Panel > Network and Sharing Center.
  6. Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.

Working with Endpoint Analysis

This feature provides the ability to perform the endpoint and Application Usage scans and to show all loaded files (child processes) for scanned applications and any digital certificates for the discovered applications.

It is recommended to include all loaded files in the configuration for an Accessible Item so that the application functions correctly. It is also useful to add any digital certificates to the Trusted Vendors in your configuration.

Add Endpoints

Endpoints must be specified before they can be scanned.

  1. Click the Endpoint Analysis navigation button.
  2. The Endpoint Analysis navigation tree displays.
  3. From the Endpoint Analysis ribbon, click Add Endpoint and select one of the following:
    • Browse Deployment Group - The Select Management Server dialog displays. Navigate to the deployment group location and select the required endpoints.
    • Browse Domain / Workgroup - The Add Endpoints for Analysis dialog displays. Enter the name or IP address or use the ellipsis (...) in the Computer field to select the required endpoints and click Add.

The endpoint displays in the Endpoint Analysis navigation tree. Once added, an endpoint can be used in Endpoint Analysis.

To remove an endpoint, highlight it and click the Remove Endpoint button in the Endpoint Analysis ribbon.

Installed Applications Scans

Run scans on selected endpoints within a specified domain. The scan checks the following directories and registry locations:

  • HKLM\SOFTWARE\Microsoft\Windows\Current\CurrentVersion\Installer\Folders
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • Program Files

Once the scan is complete, a report is generated detailing applications and files installed on scanned endpoints. Other information, such as DLLs and digitally signed files that are spawned as a result of running an application executable, are also captured.

Run an Endpoint Scan

Perform an Endpoint Scan on endpoints where the Application Control Agent is installed.

  1. Select the Endpoint Analysis navigation button.

    To run the Endpoint Scan, you must first add endpoints. For information, see Add Endpoints.

  2. Select an endpoint and click Run Endpoint Scan. To scan all the endpoints within selected domain, click Run Scan for all Endpoints.
  3. The Endpoint Scan checks the following directories and registry locations:
    • HKLM\SOFTWARE\Microsoft\Windows\Current\CurrentVersion\Installer\Folders
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • Program Files

The results of the Endpoint Scan display in the Installed Applications node, nested under the relevant endpoint. Details such as the Application Name, Application Description and Owner are available.  For additional file information, use the following Endpoint Analysis ribbon buttons:

  • Show Loaded Files - Displays details of other files that are loaded by applications.
  • Show Digital Certificates - Displays details of certificates assigned to applications.

Application Usage Scans

Application Usage Scans detect all applications that are running during the scan period that have not been installed using Windows Installer technology (MSIs and MSPs), such as an executable that runs whilst extracting a ZIP file, in-house software, or Firefox. Start Application Usage scans at any time to monitor actively used applications when users are logged on to an endpoint. Stop the usage scan at any time   to generate a report and save it as an XML data file. The data file contains details of applications used on scanned endpoints.

Export the XML data file for archiving purposes or import the file to other endpoints. For example, as data from scans is only available on the endpoint that ran the scan, another administrator can import the exported data file and use the data to create an Application Control configuration.

Alternatively, the data file can be imported into the Rules Analyzer to troubleshoot the behavior of Application Control by using the information contained in the data file.

Run an Application Usage Scan

Perform an Application Usage Scans on a managed endpoint when a user is logged in.

  1. Click the Endpoint Analysis navigation button.

    The Endpoint Analysis navigation tree displays.

    To run the Application Usage Scan, you must first add endpoints. For information, see Adding Endpoints.

  2. In the navigation tree, select the endpoint to be scanned.

    The Endpoint Summary work area displays.

  3. From the Endpoint Analysis ribbon, click Start Application Usage Scan.

    The Application Scan begins. The scan can be run for however long it takes for you to collect the required data and stopped when enough data has been collected.

  4. Click Stop Application Usage Scan to stop the scan and generate a report.

    The Save Report dialog displays.

  5. Enter a name for the report and click OK to save the data file.

The file is saved in XML format and created under the Recorded Data node for the selected endpoint.

Application Data

The application data can be seen in detail for both the Installed Applications Scan and the Application Usage Scan.

You can select to display the associated loaded files or the digital certificates:

  • Show Loaded Files - displays the Loaded files dialog. Drag and drop any of the files to add to the configuration.
  • Show Digital Certificates - displays the Certificates dialog. Drag and drop any of the certificates to add to any of the Trusted Vendors node in the configuration.

On occasion a duplicate certificate will be present, for example: Calc.exe loads Msvcrt.dll, Ntdll.dll and Msutil.dll. Calc.exe is signed with ’Microsoft Certificate A’ and Ntdll.dll is also signed with ’Microsoft Certificate A’. Refer to the Signed File column to clearly identify which file has been signed with which certificate.

Export an Endpoint Analysis Data File

Export data files to be imported into other endpoint or the Rules Analyzer.

  1. Select the endpoint from which the data file is to be exported.
  2. From the Endpoint Analysis ribbon, click Export.

    The Export browser dialog displays.

  3. Select a location to save the file.
  4. Click Save.

The data file is saved to the selected location and can be imported into other Application Control consoles or the Rules Analyzer.

Add Files to Configurations

Use the results of Endpoint Analysis to add rules, for applications and files, to the Application Control Configuration file. Drag and drop applications, files, DLLs, or certificates into the Group Rules available from the Rules node, accessed from the Configuration navigation button.

If you drag and drop files into any of the Accessible or Prohibited Items lists they are dropped in as files.

  • If files are placed in Accessible Items, any associated loaded files are automatically included.
  • If files are placed in Prohibited Items, any associated loaded files are not included, only the main application executable.

To add a certificate to any of the Trusted Vendors you can either drag and drop a file on to a Trusted Vendors node (if any certificates exist for that file they are added) or you can select Show Digital Signatures on the Endpoint Analysis ribbon to display the Certificates dialog. You can then drag and drop from that dialog into the configuration.

When you drag and drop files into a configuration, the digital signature for the file is always copied over as this is the most secure method for authenticating an application.

Related topics