Configuration Settings
You can define message settings and advanced settings on a per configuration basis.
Message Settings
Message Settings are used to define how message boxes display to users, and to specify the content of the messages when users attempt to launch applications, in-line with the configuration rules.
You can define the following user messages:
- Access Denied: Define the message that displays when execution of an application is denied.
You can disable this message being displayed to the user on a per deny rule item basis, in Rule Item Settings panel > Properties tab > Options section.
- Elevation Prompts: Define the messages that display when elevated rights are required to execute an application:
- Define the message that displays when elevated rights are required to run an application.
This message prompt can be enabled per elevate rule item in the Rule Item Settings panel > Properties tab > Policy section. - Define the message that displays when elevated rights are required and a reason must be provided to run an application.
This message prompt can be enabled per elevate rule item in the Rule Item Settings panel > Properties tab > Policy section.
- Define the message that displays when elevated rights are required to run an application.
For each type of message, define the following:
- Caption: The text to display at the top of the message. For example, you can change the default caption: App Control, so that the user is not aware that App Control has intervened.
- Banner: Enter the text to display in the colored banner. To remove the colored banner from the message box simple clear this field so it remains empty.
- Message body: Enter the text to display in the body of the message.
- Width: Specify the width of the message dialog. The width is measured in pixels and applies to all messages.
- Height: Specify the height of the message dialog. The height is measured in pixels and applies to all messages.
Message Tips
When configuring messages, consider the following:
- Environment variables are supported for the caption, banner, and the message.
- When using hyperlinks in the message body, the full HREF attribute tag must be entered.
- If less-than or greater-than angle brackets are to be displayed in the message body, use < and > respectively. JavaScript is not supported.
Message Box Environment Variables
Messages support System and User environment variables and the following App Control defined variables:
|
Environment Variable |
Description |
|---|---|
| %ExecutableName% | The name of the denied application. |
| %FullPathName% | The full path of the denied application. |
| %DirectoryName% | The directory where the denied application is located. |
| %NetworkLocation% | The resolved IP address of the given host name. |
| %AC_Hash% | The file hash. |
| %AC_FileSize% | The size of the file. |
|
%AC_ProductVersion% |
The version of the product. |
|
%AC_FileVersion% |
The version of the file. |
| %AC_ProductName% |
The name of the product. |
| %AC_CompanyName% |
The name of the company. |
| %AC_Vendor% |
The name of the certificate signer. |
| %AC_FileDescription% |
The description of the file. |
| %AC_ParentProcess% |
The name of the process that started it. |
| %AC_DecidingRule% |
The name of the allow rule in the App Control configuration. |
| %AC_FileOwner% |
The owner of the file. |
| %AC_ClientName% |
The name of the connecting device. |
|
%AC_PortNumber% |
The name of the network port, only if applicable. If the port number is not 0, it will be displayed at the end of the blocked IP address. |
Advanced Settings
Policy Settings
Configure general, validation, and functionality policy settings to apply to all application execution requests.
General Features
- Deny files on network shares: The configuration default for network shares is to deny everything unless it is specified in an Allow rule. When this setting is disabled, everything on the network share is allowed, unless it fails trusted ownership checking, or is specified in a deny rule.
Validation
- Validate MSI (Windows Installer) packages: MSI files are the standard method of installing Windows applications. It is recommended that the user is not allowed to freely install MSI applications.
When enabled, the default setting, running msiexec.exe is denied and all MSIs are subject to rule validation.
When this setting is disabled msiexec.exe is not blocked and MSIs files will be allowed to run, subject to rule validation. - Validate PowerShell scripts: When enabled, running powershell.exe and powershell_ise.exe is denied. However, if a PowerShell script (PS1 file) is found on the command line, then it is subjected to a rule validation.
When disabled, the default setting, powershell.exe and powershell.ise.exe is no longer blocked, and the PS1 files are no longer subjected to rule validation.- Block -Command: When enabled, the default setting, any PowerShell command lines that include -Command will be blocked.
To change the security level you may want to deselect this option, to disable the blocking of -Command.
Example: In File Explorer, right-click a PS1 file then select Run with PowerShell. Explorer adds -Command automatically to query the current execution policy and prompt the user to ask them if they want to change it. For App Control to evaluate PS1 files run this way, and not just block them, disable the Block -Command option.Be aware that when disabled, any PS1 trusted file can be modified with malicious code inserted via a -Command argument and will run because the file itself, is trusted.
- Block -Command: When enabled, the default setting, any PowerShell command lines that include -Command will be blocked.
- Allow CMD for batch files: It is expected that administrators will explicitly prohibit cmd.exe in their App Control configuration.
When enabled, the default setting, cmd.exe will be allowed to run. If a rule explicitly denies cmd.exe, then cmd.exe will not be allowed to run on its own, however, batch files will run subject to rule validation.
When this setting is disabled, cmd.exe is not allowed to run and all batch files will be allowed to run. If a rule explicitly denies cmd.exe all batch files are blocked, they are not even evaluated. - Validate WSH (Windows Script Host) script: Scripts can introduce viruses and malicious code, therefore it is recommended to validate WSH scripts.
When enabled, the default setting, cscript.exe and wscript.exe are denied. However, running js or vb scripts are subject to rule validation.
When this setting is disabled, cscript.exe and wscript.exe, are no longer blocked by default and the js or vb scripts are no longer subjected to rule validation. - Validate Registry files: When enabled, the default setting, regedit.exe and regini.exe are denied. Running a .reg script is subject to rule validation.
When this setting is disabled, regedit.exe and regini.exe, are no longer blocked by default. Additionally, the .reg scripts are no longer subjected to rule validation. - Validate Java archives: When enabled, the default setting, java.exe and javaw.exe are denied. However, if a Java archive (JAR file) is found on the command line, it is subject to rule validation.
When this setting is disabled, java.exe and javaw.exe, are no longer blocked by default, and the JAR files are no longer subjected to rule validation.
Functionality
- Enable Application Access Control: When enabled, access control is enforced by the configuration deny rules.
When this setting is disabled, all deny rules are ignored, no application access is denied, so everything is allowed. - Enable User Privilege Management: When enabled, user privileges are determined by the configuration elevate rules.
When this setting is disabled, all elevate rules are ignored and no application elevation is allowed.
Custom Settings
Configure additional settings to apply to managed endpoints:
- Driver Hook Exclusions: Select to exclude driver hooks when running App Control. App Control injects a DLL into all running processes to help it intercept and modify a processes behavior, such as to allow or elevate. This exclusion means the App Control DLL will not injected.
Enter the file names to create the driver hook exclusion list, use a semicolon to separate the file names.
This custom setting should only be used under the guidance of Ivanti Technical Support.
- App Control Driver Exclusions: Select to exclude the App Control driver from intercepting the process start request for the specific processes listed. App Control has a driver that prevents a process from starting until checks have been run, such as rule matching or trusted ownership. This exclusion prevents the driver from intercepting the start request.
Enter the file names to create the filter driver exclusion list, use a semicolon or a space delimiter to separate the file names.This setting requires an agent restart to take effect.
- Show Message For Blocked DLLs: Select to display the App Control access denied message when a DLL is blocked.
- Config File Protection: Select to prevent users and administrators from reading, copying, editing, and deleting the App Control configuration file on the endpoint.
Auditing Settings
Configure the general settings for auditing.
Raise App Control events to the local Application Event Log: Select to enable App Control auditing. All App Control events will be captured in the local Windows Application Event Log.
| Event ID | Name | Description |
|---|---|---|
| 9018 | Application user privileges changed | The application's user privileges have changed. |
| 9060 | Denied execution (Trusted Ownership) | Denied execution request (Trusted Ownership) |
| 9061 | Denied execution (Rule Policy) | Denied execution request (Rule Policy) |
| 9062 | Application started elevated | An application started with elevated (full admin) rights |