Authorizing, Denying, and Trusting Files from Logs

You can authorize, deny, or trust files directly from Application Control Log Queries. This is a convenient way to manage files added after an application scan.

You may need to authorize files added to an endpoint after an application scan (Easy Lockdown, for example). One method is to rescan the endpoint to add the new files to the whitelist. But this takes time, impacts endpoint performance, and can result in unwanted files being whitelisted.

It is more convenient to review a log query (for example, All Denied Application Events), identify the required files, and authorize them directly from the log. This adds the files to a Supplementary Easy Lockdown Policy. Similarly, you can add installer files to a Trusted Updater policy directly from the logs.

You may also need to deny files authorized after Easy Lockdown by an end user with Local Authorization privileges. You can review an All Applications Executed By Local Authorization report, select the unwanted files, and add them to a Denied Applications policy.

If you are unsure what to do with a file, you can add it to Application Library first and then decide later what type of policy to apply to it. See Adding Files to Application Library for more information.

Most Application Control Log Query types return a list of files and display the Authorize, Deny, and Trust buttons which are enabled when one or more files are selected.

The All Memory Injection Detection Events and the All Updaters Added by Trusted Updaters queries do not display these buttons as their actions are not applicable to the files listed.

Authorizing Files from Logs

You can authorize files directly from an Application Control Log Query.

Prerequisites:

You have run a log query (for example, All Denied Application Events) and determined that one or more of the files that have been blocked should be authorized to run.

Select Review > Application Control Log Queries.
The Application Control Log Queries page opens displaying a list of completed queries.
In the Query Name column, click the name of the log query.
The Query Results page opens, displaying the detailed results of the query.
Select the file(s) that you want to authorize.
The Authorize button is enabled.

The All Memory Injection Detection Events and the All Updaters Added by Trusted Updaters queries do not display this button.

Click Authorize.
The Authorize Selected Files dialog opens.
Authorize the selected file(s) using one of the following methods:

Method	Steps
New policy	Click the Create a new Supplemental Easy Lockdown/ Auditor Policy option. This option is selected by default. Click OK. The Authorize Selected Files dialog changes to the first screen of the Supplemental Easy Lockdown/Auditor wizard. See Creating a Supplemental Easy Lockdown/Auditor Policy to complete the procedure. When you click Finish the wizard closes and a Policy Created confirmation dialog is displayed. Click Close.
Existing policy	Click the Add to one or more existing policies option. Select one or more of the existing policies. You can click View details to review the policies first, paying particular attention to the users or endpoints that are affected. Click OK. The Authorize Selected Files dialog closes and a Policies Updated confirmation dialog is displayed. Click Close.

Method

Steps

New policy

Click the Create a new Supplemental Easy Lockdown/ Auditor Policy option.

This option is selected by default.

Click OK.
The Authorize Selected Files dialog changes to the first screen of the Supplemental Easy Lockdown/Auditor wizard. See Creating a Supplemental Easy Lockdown/Auditor Policy to complete the procedure. When you click Finish the wizard closes and a Policy Created confirmation dialog is displayed.
Click Close.

Existing policy

Click the Add to one or more existing policies option.
Select one or more of the existing policies.

You can click View details to review the policies first, paying particular attention to the users or endpoints that are affected.

Click OK.
The Authorize Selected Files dialog closes and a Policies Updated confirmation dialog is displayed.
Click Close.

The selected file(s) are added to one or more Supplemental Easy Lockdown/Auditor policies.

One or more files listed in an Application Control Log Query have been authorized to run.

Denying Files from Logs

You can deny files directly from an Application Control Log Query.

Prerequisites:

You have run a log query (for example, All Applications Executed By Local Authorization) and determined that one or more of the files that have been authorized should be denied.

Select Review > Application Control Log Queries.
The Application Control Log Queries page opens displaying a list of completed queries.
In the Query Name column, click the name of the log query you want to view.
The Query Results page opens, displaying the detailed results of the query.
Select the file(s) that you want to deny.
The Deny button is enabled.

The All Memory Injection Detection Events and the All Updaters Added by Trusted Updaters queries do not display this button.

Click Deny.
The Deny Selected Files dialog opens.
Deny the selected file(s) using one of the following methods.

Method	Steps
New policy	Click the Create a new Denied Application Policy option. This option is selected by default. Click OK. The Deny Selected Files dialog changes to the first screen of the Denied Application Policy wizard. See Creating a Denied Applications Policy to complete the procedure. When you click Finish the wizard closes and a Policy Created confirmation dialog is displayed. Click Close.
Existing policy	Click the Add to one or more existing policies option. Select one or more of the existing policies. You can click View details to review the policies first, paying particular attention to the users or endpoints that are affected. Click OK. The Deny Selected Files dialog closes and a Policies Updated confirmation dialog is displayed. Click Close.

The selected file(s) are added to one or more Denied Applications policies.

One or more files listed in an Application Control Log Query have been denied from running.

Trusting Files from Logs

You can trust installer files directly from an Application Control Log Query.

Prerequisites:

You have run a log query (for example, All Denied Application Events) and determined that one or more installer files need to be treated as a Trusted Updater.

Select Review > Application Control Log Queries.
The Application Control Log Queries page opens displaying a list of completed queries.
In the Query Name column, click the name of the log query you want to view.
The Query Results page opens, displaying the detailed results of the query.
Select the installer file(s) that you want to trust.
The Trust button is enabled.

The All Memory Injection Detection Events and the All Updaters Added by Trusted Updaters queries do not display this button.

Click Trust.
The Trust Selected Files dialog opens.
Trust the selected file(s) using one of the following methods.

Method	Steps
New policy	Click the Create a new Trusted Updater/Installer policy option. This option is selected by default. Click OK. The Trust Selected Files dialog changes to the first screen of the Trusted Updater wizard. See Creating a Trusted Updater Policy to complete the procedure. When you click Finish the wizard closes and a Policy Created confirmation dialog is displayed. Click Close.
Existing policy	Click the Add to one or more existing policies option. Select one or more of the existing policies. You can click View details to review the policies first, paying particular attention to the users or endpoints that are affected. Click OK. The Trust Selected Files dialog closes and a Policies Updated confirmation dialog is displayed. Click Close.

The selected file(s) are added to one or more Trusted Updater policies.

One or more installer files listed in an Application Control Log Query are able to run as Trusted Updaters.

Viewing Policy Details

The View Policy Details dialog shows detailed information on the relevant Application Control policy.

This dialog is displayed when you click the View details link for an existing Supplemental Easy Lockdown/Auditor Policy, Denied Applications Policy, or Trusted Updater Policy (the policy types that can be assigned directly from an Application Control log query).

Item	Description
Policy name	The name of the policy.
Type	One of the following policy types: Supplemental Easy Lockdown/Auditor Policy Denied Applications Policy Trusted Updater Policy
Logging	On or Off (not applicable to Trusted Updaters)
List	Authorized applications/files Denied applications/files Trusted updaters
Assigned list	The policy can be assigned to the following: Endpoints Groups Users (not applicable to Trusted Updaters) Blank (a policy that is not assigned to an endpoint/group or a user will be disabled)