Frequently Asked Questions

The chart data is populated from events App Control generates. This data is processed nightly, therefore event data will appear the following day. See App Control Overview for more details.

To optimize performance, data is only processed outside of normal working hours for the environments time zone. There is currently no way to force the event data to be processed ad hoc.

To optimize efficiency and performance, App Control retains detailed data for 30 days. However, the aggregations used in the product performance charts are preserved for a longer period, allowing you to observe trends over the last 6 months. See Product Performance charts for more details.

This is done via Agent Policy. Once an App Control configuration has been published, it will be available to select in an Agent Policy. Agent Policies can be found in the main menu Agents > Agent Policies. Create, or select to edit a policy, in the Capabilities section enable the App Control Capability and select the configuration to assign to the policy for deployment. See Deploy a Configuration for more details.

Currently there is no way to import an existing UWM Application Control configuration into App Control for Neurons.

This will most likely be because the file is not owned by a Trusted Owner. See App Control introduction for further details on Trusted Ownership.

If the configuration has the security level set to Audit mode, events will be raised stating what App Control would have done, but no action is taken. For that, the configuration security level needs to be set to Restricted mode. See App Control Configurations for more details on Security Levels.

If any of the users are Administrators, nothing will be blocked. This is because Administrators are exempt from App Control.

This is because of the way App Control blocks script files. For supported script hosts, if the main executable is blocked, the script itself will be passed through the rules. The blocking of supported script hosts is controlled via the related options in Configuration Settings > Advanced Settings > Validation. See Configuration Settings for more details on Validation.

If the relevant validation options are enabled, script files (PS1, VB script, MSI etc) will be processed by the rules like any other executable.
For example, to allow a particular PS1 file to run, create an allow rule with the filename of c:\pathtoPS1\Script_I_Want_To_Run.ps1.
This script should be in a location in which the user does not have write access, otherwise they could modify the file. Alternatively, ensure the script is owned by a Trusted Owner, and deselect the Allow file to run even if not owned by a trusted owner. In that case, if the user does modify the file, they become the new owner and the file will be blocked by default. See Rule Item Settings for more details.

Ensure the Allow CMD for batch files is enabled in Configuration Settings > Advanced Settings > Validation. See Configuration Settings for more details on Validation.

Ensure there is a Deny rule for cmd.exe.

BAT files will now be processed through the rules engine like any other file and be subject to trusted ownership checking.

One way to do this would be to enable event logging on the endpoint. The events that are raised will contain the rule name as to why something was blocked\elevated. That option can be found under Configuration Settings > Auditing Settings. The blocked events have ID 9060 and 9061. Elevated events have an ID of 9018. See Auditing Settings for more details.