Rules Analyzer

In this section:

About Rules Analyzer

Standard auditing can be used to track unauthorized application usage or to track when users are overwriting/renaming applications. It is a simple mechanism to use and can function without interaction. The standard auditing mechanism advises you when an application has not, for example, been allowed to execute but does not advise why this was the case. Therefore, an additional tool is required so you can analyze the rules base in real time, and determine exactly why an application is or is not allowed to execute.

Rules Analyzer examines managed endpoints to collect information about how Application Control Rules are applied and provides details of any inconsistencies or inaccuracies in rules as they are processed. Rules Analyzer provides you with a graphical interface that can be used to manually troubleshoot and fine tune Application Control configurations in real time anywhere across the enterprise. All that is required is a network link to a remote Application Control managed endpoint so the Rules Analyzer can connect to the agent software and start logging on the local endpoint.

When the logging has completed you can use the Rules Analyzer to automatically pull the log file across the network back to the computer where the analysis is occurring for investigation. All logging information is held in XML format and each execution request that the Application Control agent processed is listed along with the details of what occurred during processing, including if the process was allowed to execute or not and the reason for the outcome.

The Console

The Rules Analyzer is accessed from the navigation pane within the Application Control console and is used to create, retrieve and examine the log files.

An Endpoint node allows you to control logging on to a specific managed endpoint to retrieve the log files. Below each Endpoint node is a node for each Retrieved Log Files node.

You can review a summary page, view all requests, or view the requests for a specific user. You can restrict the view to the denied or allowed requests. Within the analysis panel you can navigate to a specific request and view the full details of that request, including which rules were applied by Application Control.

You must be logged on with an account that allows read and write access to the registry of any managed endpoint for which you wish to generate logs for using Rules Analyzer, and have read and write access to the local registry of the computer on which the console operates.

Prerequisites

Test that the following are in place:

Set Up Logging for Rules Analyzer

The first requirement is to add an endpoint to the list of endpoints that the Rules Analyzer can interact with. The Rules Analyzer uses the default C$ share to communicate with the agent running on the target machine.

Add an Endpoint

Endpoints must be specified before rules are analyzed.

  1. Click the Rules Analyzer navigation button.

    The Rules Analyzer navigation tree displays.

  2. From the Rules Analyzer ribbon, click Add Endpoint and select one of the following:
    • Browse Deployment Group - The Select Management Server dialog displays. Navigate to the deployment group location and select the required endpoints.
    • Browse Domain / Workgroup - The Add Rules Analyzer Endpoints dialog displays. Enter the name or IP address or use the ellipsis (...) in the Computer field to select the required endpoints and click Add.
  3. The endpoint displays in the Rules Analyzer navigation tree. Once added, an endpoint can be analyzed by the Rules Analyzer.
  4. To remove an endpoint, highlight it and click the Remove Endpoint button in the Rules Analyzer ribbon.

Start and Stop Logging

  1. Select the endpoint in the navigation tree.
  2. Select Start Logging on the Rules Analyzer ribbon.
  3. When required, for example, after you have recreated a problem on the endpoint, select Stop Logging on the Rules Analyzer ribbon.

    The File dialog is displayed.

  4. Enter a name for the log file and click OK.
  5. The XML file is displayed in the navigation tree.

Rules Analyzer files can be large so this feature should only be used when a problem manifests itself and investigation is required.

Once you have created the log files, you can export them or delete them by selecting the files and using the Export and Delete buttons in the Rules Analyzer ribbon.

You can also import log files in XML format by selecting an endpoint and clicking Import in the Rules Analyzer ribbon.

Log Files

All log files for a given computer are stored on the local machine during logging and are temporarily stored in the following location:

 C:\Documents and Settings\All Users\Application Data\AppSense\ApplicationManager\Rules Analyzer\RulesAnalyzerLog.xml.

When logging is stopped on the specific endpoint, the log file is closed and transferred to the computer that is running the Rules Analyzer, where it is stored in the cache for the endpoint in question. The cache is held in the following location:

C:\Documents and Settings\All Users\Application Data\AppSense\ApplicationManager\Rules Analyzer\

The naming convention for the files is ComputerName^enteredname.
For example:
C:\Documents and Settings\All Users\Application Data\AppSense\ApplicationManager\Rules Analyzer\APPUKTECHPUBS2^Regedit.xml.

The computer name is the name of the endpoint as it is entered in the user interface. Therefore, if it is an IP address it is stored as IPAddress^enteredname.xml.

The entered name is the name given to the XML file in the Rules Analyzer.

The Rules Analyzer console displays the information regarding execution requests in a number of ways to enable easy access to the details:

Rules Analyzer Tasks

Common Rules Analyzer tasks include:

  • Analyze a log file - To analyze a log file, select the log file node. The first page shown in the analysis work area is the summary page. You navigate inside the analysis panel by following links. Use the Return link at the top of the page to go back to the previous page.
  • View requests for a specific user - To view the requests for a specific user click one of the links in the table on the summary page. You can click in the Total column to see all the requests for the user and you can click in the Allowed column or the Denied column to see only the allowed or denied requests.
  • Find requests that take a long time - To find requests that take a long time click View the requests by processing time on the summary page. This shows the requests sorted, with the longest running request first. The processing time shown is the elapsed time taken by the Ivanti Application Control agent to process the request.