Management and Security powered by Landesk

Agent settings: Application Control

Tools > Security and Compliance > Agent settings > Security > Endpoint security > Application control

Use this dialog box to create and edit an endpoint security (EPS) application control setting (configuration file). When creating EPS settings, you first define the general requirements and actions, and then add specific file certifications. You can create as many EPS settings as you like and edit them at any time.

If you want to modify the device default EPS settings without reinstalling the EPS agent or re-deploying a full agent configuration, make your changes to any of the options on the EPS settings dialog box, assign the new settings to a Change settings task, and then deploy that task to targeted devices.

This dialog box contains the following pages:

About the General settings page

Use this page to configure the general protection settings and actions for EPS.

  • Name: Identifies the EPS settings with a unique name. This name appears in the EPS settings list on an Install or Update security components task dialog box.
  • Protection settings: Provides two types of protection: EPS and whitelist. You can select one or both. Both protection types use the same operating mode, which you select on the Mode configuration page. (NOTE: This general protection enforcement has one exception. If you specify the Learn protection mode and have the Whitelist-only learning option selected, only whitelist applications are learned and EPS protection is set to the automatic blocking mode.)
    • Enable application behavior protection: Turns on EPS protection, allowing all programs to run (except when the program operation threatens system security) as defined by predefined protection rules. You can grant special rights to program files via trusted file lists by configuring custom file certifications. EPS protection observes application behavior (whether the application is allowed to modify another executable, modify the registry, and so on) and enforces security rules.
      • Use Buffer Overflow Protection: Protects devices from system memory exploits that take advantage of a program or process that is waiting on user input.

        NOTE: Buffer Overflow Protection (BOP) can be enabled on a 32-bit Windows device regardless of whether the processor has NX/XD (No eXecute / eXecute Disable) support. If the processor doesn't have NX/XD support, it is emulated. However, if the processor has NX/XD support but it's turned off in either the BIOS or boot configuration, BOP can't be enabled. Note that the Endpoint Security client displays whether BOP is enabled or disabled on the end-user device. BOP is not supported on 64-bit Windows devices because the Kernel Patch Protection (KPP) feature prevents patching the kernel.

        IMPORTANT: We strongly recommend that you first test Buffer Overflow Protection (BOP) on your specific hardware configurations before doing a wide-scale deployment to the managed devices on your network.
      • Restrict access to physical drives: Block access to the master boot record (MBR), helping protect clients from ransomware that encrypts the MBR..
      • Auto-detect and blacklist crypto-ransomware: The EPS agent will watch for encryption process and if detected, EPS will kill the process, try to remove it from startup, and add it to the blacklist. EPS will detect encryption processes as soon as possible, but it is likely that some files will be encrypted before the process can be killed. We recommend you use file protection rules to protect files from being encrypted by ransomware.
    • Enable whitelist protection: Turns on whitelist protection. This means only those applications that are in a trusted file list, and whose file certification has the Allow execution option enabled, are allowed to run.
    • Prevent Windows Explorer from modifying or deleting executable files: Enable this option if you don't want Windows to be able to modify or delete any executable files.
    • Treat "good reputation" files as if they are in the associated trusted file list: Whitelists files that are in the Ivanti-hosted database of known good files. For more information, see Using file reputation to restrict applications.
    • Treat "bad reputation" files as if they are in the blacklist: Blacklists files that are in the Ivanti-hosted database of known bad files.
  • Action to take: Determines the action taken when a program is added to the device's Startup folder. This option provides a second line of defense for authorizing processes in the system startup folder. EPS monitors the contents of startup and if it finds a new process, it performs the action you select (Alert and prompt for action; Always allow the program to run; or Remove the program from the Startup without alerting).
  • Set as default: Assigns this setting as the default setting for tasks that use EPS settings.
  • ID: Identifies this particular setting. This information is stored in the core database and can be used to keep track of each setting.
  • Save: Saves your changes and closes the dialog box.
  • Cancel: Closes the dialog box without saving your changes.

About the Mode configuration page

Use this page to configure the operating mode of EPS protection.

  • Host intrusion prevention mode: Specifies protection behavior when EPS protection is enabled. Choose from one of the following operating methods:
    • Blocking: Security violations are blocked AND recorded in an action history file on the core server.
    • Learning: All application security violations are allowed, but application behavior is observed (or learned) and that information is sent back to the core database in a Trusted File List. Use this mode to discover application behavior on a specific device or set of devices, and then use that information to customize your EPS policies before deploying them and enforcing EPS protection throughout the network.
    • Log only: Security violations are allowed AND recorded in an action history file on the core server.
    • Silent: Security violations are blocked and are NOT recorded in an action history file on the core server.
  • Whitelist mode: Specifies protection behavior when whitelist protection is enabled—only applications in a Trusted File List and with the whitelist designation (applications whose file certification has the Allow execution option enabled) are allowed to run and are learned. Choose from one of the following operating methods:
    • Blocking: Security violations are blocked AND recorded in an action history file on the core server.
    • Learning: All application security violations are allowed, but application behavior is observed (or learned) and that information is sent back to the core database in a Trusted File List. Use this mode to discover application behavior on a specific device or set of devices, and then use that information to customize your EPS policies before deploying them and enforcing EPS protection throughout the network.
    • Log only: Security violations are allowed AND recorded in an action history file on the core server.
    • Silent: Security violations are blocked and are NOT recorded in an action history file on the core server.

About the File protection rules page

Use this page to view, manage, and prioritize file protection rules. File protection rules are a set of restrictions that prevent specified executable programs from performing certain actions on specified files. With file protection rules, you can allow or deny access, modification, creation, and execution by any program or any file.

  • Protection rules: Lists all of the predefined (default) file protection rules provided by Ivanti, as well as all of the file protection rules that you've created.
    • Rule name: Identifies the file protection rule.
    • Restrictions: Displays the specific actions by programs on files that are restricted by the file protection rule.
    • Programs: Displays the executable programs that are protected by the protection rule.
  • Move Up \ Down: Determines the priority of the file protection rule—a rule higher in the list takes precedence over a rule that is lower in the list. For example, you could create a rule that restricts a program from accessing and modifying a certain file or file type, but then create another rule that allows an exception to that restriction for one or more named programs. As long as the second rule is higher in the list of rules, it will take affect.
  • Reset: Restores the predefined (default) file protection rules that are provided by Ivanti.
  • Add: Opens the Configure file protection rule dialog box where you can add and remove programs and files and specify the restrictions.
  • Edit: Opens the Configure file protection rule dialog box where you can edit an existing file protection rule.
  • Delete: Removes the file protection rule from the core database.

NOTE: File protection rules are stored in the FILEWALL.XML file, located in: ProgramFiles\Landesk\ManagementSuite\ldlogon\AgentBehaviors\EPS_Behavior.ZIP

About the Configure file protection rule dialog box

Use this page to configure file protection rules.

  • Rule name: Identifies the file protection rule with a descriptive name.
  • Monitored programs
    • All programs: Specifies that all executable programs are restricted from performing the actions selected below on the files specified below.
    • Programs named: Specifies that only the executable programs in the list have the restrictions selected below applied to them.
    • Add: Enables you to choose which programs are restricted by the file protection rule. You can use filenames and wildcards.
    • Edit: Enables you to modify the program name.
    • Delete: Removes the program from the list.
  • Exceptions
    • Allow exceptions for certified programs: Allows any of the executable programs that currently belong to your list of certified files to bypass the restrictions associated with this file protection rule.
  • Protect files
    • Any file: Specifies that all files are protected from the programs specified above according to their restrictions.
    • Files named: Specifies that only the files in the list are protected.
    • Add: Enables you to choose which file or files are protected by the rule. You can use filenames or wildcards.
    • Edit: Enables you to modify the filename.
    • Delete: Removes the file from the list.
    • Apply to sub-directories too: Enforces the file protection rules to any subdirectories of a named directory.
  • Restricted actions on protected files
    • Read access: Prevents the programs specified above from accessing the protected files.
    • Modification: Prevents the programs specified above from making any changes to the protected files.
    • Creation: Prevents the programs specified above from creating the files.
    • Execution: Prevents the programs specified above from running the protected files.