Agent settings: Application Control
Tools > Security and Compliance > Agent settings > Security > Endpoint security > Application control
Use this dialog box to create and edit an endpoint security (EPS) application control setting (configuration file). When creating EPS settings, you first define the general requirements and actions, and then add specific file certifications. You can create as many EPS settings as you like and edit them at any time.
If you want to modify the device default EPS settings without reinstalling the EPS agent or re-deploying a full agent configuration, make your changes to any of the options on the EPS settings dialog box, assign the new settings to a Change settings task, and then deploy that task to targeted devices.
This dialog box contains the following pages:
- About the Application protection page
- About the Application protection: File protection rules page
- About the Application protection: Advanced and Whitelisting: Advanced pages
About the General settings page
Use this page to name your Application Control setting. Select Set as default if that is what you want it to be.
Use this page to configure the general protection settings and actions for EPS.
- Enable application behavior protection: Turns on EPS protection, allowing all programs to run (except when the program operation threatens system security) as defined by predefined protection rules. You can grant special rights to program files via trusted file lists by configuring custom file certifications. EPS protection observes application behavior (whether the application is allowed to modify another executable, modify the registry, and so on) and enforces security rules.
- Prevent master boot record (MBR) encryption: Block access to the master boot record (MBR), helping protect clients from ransomware that encrypts the MBR.
- Auto-detect and blacklist crypto-ransomware: The EPS agent will watch for encryption process and if detected, EPS will kill the process, try to remove it from startup, and add it to the blacklist. EPS will detect encryption processes as soon as possible, but it is likely that some files will be encrypted before the process can be killed. We recommend you use file protection rules to protect files from being encrypted by ransomware.
Use this page to view, manage, and prioritize file protection rules. File protection rules are a set of restrictions that prevent specified executable programs from performing certain actions on specified files. With file protection rules, you can allow or deny access, modification, creation, and execution by any program or any file.
By default, these rules are enabled:
- Protect Word, PowerPoint and Excel files from being encrypted by a ransomware: When enabled, Endpoint Security will only allow Word, PowerPoint and Excel processes to modify Word, PowerPoint and Excel files (users will still be able to copy/paste those files). If a ransomware runs on the endpoint, it won't be able to encrypt these file types. In case of a ransomware attack, an administrator will be able to remote control the infected device and copy the untouched documents somewhere safe, ensuring a quicker recovery, because the end user will get the latest version of their files without the need to recover those files from an old backup copy.
- Prevent script execution from Word, PowerPoint, or Excel: A common method to infect an endpoint is to convince the end user to run a macro inside a Word or Excel document. In most cases the macro will run a PowerShell or other script that downloads malware to the device. Once this feature is enabled, Endpoint Security will prevent macros from launching PowerShell, Visual Basic, and other scripts. As a result, if an end user runs a macro that launches a script, the script won't run, blocking the malware from running. The macro itself will continue to work.
These additional options are available on this page:
- Protection rules: Lists all of the predefined (default) file protection rules provided by Ivanti, as well as all of the file protection rules that you've created.
- Rule name: Identifies the file protection rule.
- Restrictions: Displays the specific actions by programs on files that are restricted by the file protection rule.
- Programs: Displays the executable programs that are protected by the protection rule.
- Move Up \ Down: Determines the priority of the file protection rule—a rule higher in the list takes precedence over a rule that is lower in the list. For example, you could create a rule that restricts a program from accessing and modifying a certain file or file type, but then create another rule that allows an exception to that restriction for one or more named programs. As long as the second rule is higher in the list of rules, it will take affect.
- Reset: Restores the predefined (default) file protection rules that are provided by Ivanti.
- Add: Opens the Configure file protection rule dialog box where you can add and remove programs and files and specify the restrictions.
- Edit: Opens the Configure file protection rule dialog box where you can edit an existing file protection rule.
- Delete: Removes the file protection rule from the core database.
NOTE: File protection rules are stored in the FILEWALL.XML file, located in: ProgramFiles\Landesk\ManagementSuite\ldlogon\AgentBehaviors\EPS_Behavior.ZIP
Use this page to configure the operating mode of EPS protection.
- Application behavior mode: Specifies protection behavior when EPS protection is enabled. Choose from one of the following operating methods:
- Blocking: Security violations are blocked AND recorded in an action history file on the core server.
- Learning: All application security violations are allowed, but application behavior is observed (or learned) and that information is sent back to the core database in a Trusted File List. Use this mode to discover application behavior on a specific device or set of devices, and then use that information to customize your EPS policies before deploying them and enforcing EPS protection throughout the network.
- Log only: Security violations are allowed AND recorded in an action history file on the core server.
- Silent: Security violations are blocked and are NOT recorded in an action history file on the core server.
About the Whitelisting page
- Enable whitelist protection: Turns on whitelist protection. This means only those applications that are in a trusted file list, and whose file certification has the Allow execution option enabled, are allowed to run.
- Prevent Windows Explorer from modifying or deleting executable files: Enable this option if you don't want Windows to be able to modify or delete any executable files.
- Treat "good reputation" files as if they are in the associated trusted file list: Whitelists files that are in the Ivanti-hosted database of known good files.
For more information, see Using file reputation to restrict applications.
- Treat "bad reputation" files as if they are in the blacklist: Blacklists files that are in the Ivanti-hosted database of known bad files.
Use this page to configure file protection rules.
- Rule name: Identifies the file protection rule with a descriptive name.
- Monitored programs
- All programs: Specifies that all executable programs are restricted from performing the actions selected below on the files specified below.
- Programs named: Specifies that only the executable programs in the list have the restrictions selected below applied to them.
- Apply if process is in the execution chain: Programs can launch other programs. If the monitored program is in the execution chain, apply the rule, even if the monitored program isn't the program accessing protected files.
- Allow trusted files to bypass rule: Allows any of the executable programs that currently belong to your list of certified files to bypass the restrictions associated with this file protection rule.
- Add: Enables you to choose which programs are restricted by the file protection rule. You can use filenames and wildcards.
- Edit: Enables you to modify the program name.
- Delete: Removes the program from the list.
- Protected files
- Any file: Specifies that all files are protected from the programs specified above according to their restrictions.
- Files named: Specifies that only the files in the list are protected.
- Add: Enables you to choose which file or files are protected by the rule. You can use filenames or wildcards.
- Edit: Enables you to modify the filename.
- Delete: Removes the file from the list.
- Apply to sub-directories too: Enforces the file protection rules to any subdirectories of a named directory.
- Apply only to files downloaded from the internet: Only files downloaded from the internet are protected from monitored programs.
- Restricted actions on protected files
- Read access: Prevents the programs specified above from accessing the protected files.
- Modification: Prevents the programs specified above from making any changes to the protected files.
- Creation: Prevents the programs specified above from creating the files.
- Execution: Prevents the programs specified above from running the protected files.