Advanced Settings
Advanced Settings are accessed from the Manage ribbon and allow you to assign global settings to the Application Control Configuration file. Specify the required global components using the Policy Settings and Custom Settings tabs.
In this section:
Policy Settings
Application Control Policy Settings are available in the Advanced Settings dialog and provide general Application Control settings to apply to all application and process execution requests.
General Features
Option | Description |
---|---|
Make local drives allowed by default | The configuration default for local drives is a blocklist, meaning that everything on the local drive is allowed unless it fails trusted ownership checking or is specified in a Denied Items list . Deselect this option to make the configuration a allowlist, so that everything on the local drive is blocked unless it is specified in an Allowed Items list. |
Allow cmd.exe for batch files | It is expected that administrators explicitly prohibit cmd.exe in their Application Managers configuration. When cmd.exe is denied and 'Allow cmd.exe for batch files' is disabled, batch files will be evaluated and blocked if they fail the Application Managers policy. If the option is not selected and cmd.exe is explicitly denied, all batch files are blocked, they aren't even evaluated. If this option is selected and cmd is explicitly denied, cmd.exe still can't be run on its own, but batch files are evaluated against Application Control rules. If cmd.exe is not explicitly denied, all batch files run no matter whether this option is ticked or not. |
Ignore restrictions during logon | During logon the computer may execute a number of essential applications. Blocking these can cause the computer to function incorrectly, or not at all. Hence, this option is selected by default. |
Extract self-extracting ZIP files | A self-extracting
file is an executable that contains a ZIP file and a small program
to extract it. These files are sometimes used as an alternative
to installing an application by an MSI file. A number of administrators
prefer applications to only be installed by an MSI file.
Only self-extracting EXEs formatted using the ZIP specification are supported. For additional information, see ZIP Specifications The Extract self-extracting ZIP files option allows a denied executable file, which is a self-extracting ZIP file, to be extracted by the ZIP Extractor. If this option is deselected (the default setting) the file is subject to the normal rule processing as though it is an executable file. Once the contents have been extracted, any executable content it contains is still subject to the normal Trusted Ownership checks and is prevented from executing if the user is not a Trusted Owner. This is useful for scenarios where the self-extracting ZIP file may contain non-executable content such as a document that the user requires. By default, this option is deselected, and the self-extracting ZIP file is treated as a standard executable and can be prevented from executing (and hence extracting its contents) subject to the normal rule processing. |
Ignore Restrictions during Active Setup | By default, all applications which run during Active Setup are subject to Application Control rules. Select this option to make these applications exempt from rules checks during Active Setup phase. |
Use Signature Rules only to allow files on removable media |
Select this option (default setting)
to remove the global restrictions on removable media and switch to Signature Rules for governance.
Removable media is whatever the call to GetDriveType determines
it to be. Due to the nature of removable media, the drive letter
may change depending on how an endpoint is setup. For example:
On one computer the removable media drive may be identified as
the E: drive and on another F:
When this setting is enabled, a file on removable media can only be allowed with a Signature Rule. |
Deny files on network shares | The configuration default for network shares is a allowlist, meaning that everything on the network share is denied unless it is specified in an Allowed Items list. Deselect this option to make the configuration a blocklist, so that everything on the network share is allowed unless it fails trusted ownership checking or is specified in a Denied Items list. |
Validation
Option | Description |
---|---|
Validate System processes | Select this option to validate any files executed by the system user. Note that it is not recommended to select this option as it increases the amount of validation occurring on the endpoint computer and can block crucial applications from running. Selecting this option means all executables launched by the system are subject to rule validation. |
Validate WSH (Windows Script Host) scripts | Selecting this option
specifies that the command line contents of scripts ran using
wscript or cscript are subject to rule validation.
Scripts can introduce viruses and malicious code. It is recommended to validate WSH scripts. |
Validate MSI (Windows Installer) packages | MSI files are the standard method of installing Windows applications. It is recommended that the user is not allowed to freely install MSI applications. Selecting this option means all MSIs are subject to rule validation. Deselecting this option means that only the Windows installer itself, msiexec.exe, is validated by the Application Control rule processing, and not the MSI file that it is trying to run. |
Validate Registry files | Select this option
to enable rule validation for regedit.exe and regini.exe.
Deselecting this option means that the regedit.exe
and regini.exe, is no longer blocked by default. Additionally,
the .reg script, the regedit.exe and regini.exe it is trying to
run is no longer validated by Application Control rules processing.
It is not recommended to allow users to access the registry or registry files. |
Validate PowerShell scripts | When enabled, this setting denies powershell.exe and powershell_ise.exe. However, if a PowerShell script (PS1 file) is found on the command line, then, it is subjected to a full rules check to see if it is configured for elevation, allowed, or denied. |
Block -Command |
For security purposes, when enabled (default condition in new configurations), any PowerShell command lines that includes -command will be blocked. To shift to a different security level, any admin needs to uncheck this option. When running a PowerShell script from Explorer, by right-clicking a ps1 file and selecting Run with PowerShell, Explorer will add -command automatically to query the current Execution Policy and prompt the user asking them if they want to change it. For Application Control to evaluate ps1 files run via Explorer’s right-click menu item Run with PowerShell, and not just block them, disable the Block -Command option. Please see the Ivanti Community article Validate PowerShell scripts does not work if the command line contains "-command" for further details. You will need to log into Ivanti Community to access. Be aware that when unchecked, any ps1 trusted file can be modified with malicious code inserted via a -command argument and will run because the file, itself, is trusted. |
Validate Java archives | When enabled, this setting denies java.exe and javaw.exe. However, if a Java archive (JAR file) is found on the command line, then, it is subjected to a full rules check to see if it is allowed or denied. |
Functionality
Option | Description |
---|---|
Enable Application Access Control | Select to enable Application Access Control. Deselect to not validate or block executables. |
Enable Application Network Access Control | Select to enable the Application Network Access Control feature. Deselect to not validate or block outbound network connections. |
Enable User Privilege Management | Select to enable the User Privilege Management feature. Deselect to not apply any User Privilege policies. Disabling this option allows all applications to run with the permissions and privileges provided by default, by operating system. Application Control ignores anything in the User Privileges section of the rules and will not change or alter any of the user's privileges. |
Enable URL Redirection | Select to enable the URL Redirection feature. If you deselect this option, configured redirections are ignored and users are not redirected when they enter a suspicious or unwanted URL. Any URL allows you have configured will also not execute. Deselecting this option has the same effect as having no items in the Browser Control policy set and selecting this feature. When you disable this feature the browser extensions are disabled. See also Browser Control. |
Signatures
Option | Description |
---|---|
Algorithm |
Select the algorithm type. There are three options available:
•SHA1 •SHA256 •Adler3 For more information, see Signature Hashing. |
Custom Settings
Custom Settings allow you to configure additional settings which will be applied on managed endpoints when an Application Control configuration is deployed. If a new configuration is deployed that contains new custom settings, any pre-existing custom settings in place on the end point will be deleted. Refer to Select Events to Raise for more information about event auditing.
Manage Custom Settings
- Open a configuration in the Application Control Console and navigate to the Manage ribbon.
-
Click Advanced Settings and select the Custom Settings tab.
- Click Add to display a list of custom settings.
-
Select the settings you want to configure and click Add.
-
The selected settings are added to the Configure Custom Settings list.
Settings which are added will be configured on the endpoint. However, any setting which already exists on an endpoint will be used.
- Set the values as required (refer to the Available Custom Settings table).
- Click OK.
The settings are applied when the configuration is deployed to your managed endpoints.
Available Custom Settings
Additional Engineering Key - GroupSidRefresh
Application Control requires the Security Identifier (SID) of all Group Rules to successfully perform rule matching. With this engineering key set, the agent will resolve the SID of the Group Rule at runtime whilst the endpoint is online and write it back into the Configuration (AAMP file). This can be useful if the endpoint is subsequently used offline as the SID stored in the configuration will be used.
The Application Control Console will resolve the SID if possible when the configuration is saved. This setting is only needed if the console could not perform the group SID lookup.
Settings
HKLM\Software\Appsense Technologies\Application Control\Engineering
Name
GroupSidRefresh
Type
String (REG_SZ)
Parameters
0 - Off
1 - only resolve groups that currently have no SID values
2 - resolve all group SIDs –useful if the domain is specified by an environment variable so t is subject to change.
Self-Elevation File Associations
For further information, see Self-Elevation File Associations.