Using file reputation to restrict applications

The file reputation feature in security and compliance helps ensure that the files on a device's file system aren't malware and that no one has tampered with them. While application control behavior protection can help secure managed devices, false positives can still trigger on legitimate applications, depending on what those applications are trying to do. If you use file reputation, you have the option of creating a separate application control behavior profile for files with a known "good" reputation that bypasses the normal behavior-based application control.

File reputation isn't enabled by default. If you enable file reputation, anonymous file reputation information from files on managed devices will be securely sent to the Ivanti file reputation cloud server, which improves file reputation accuracy and coverage for all users of this feature.

If you enable file reputation, each time the device executes an application, the agent first checks a local database to see if the application files match known good hashes. If there isn't a match, the agent sends a request with data about the files to the core server. The core server checks its database to see if information about that file's reputation already exists. If it doesn't exist, the core sends a request to the Ivanti cloud reputation server. If the file hashes match results in the cloud, the cloud server returns reputation information about the files to the core and client.

The file reputation system uses a Ivanti cloud-hosted database of file information, including names, sizes, metadata, and SHA1 hashes. Much of the file reputation database is from the National Software Reference Library (NSRL). You can visit their web site for more information: http://www.nsrl.nist.gov/new.html.

A file can have one of these three reputations:

Good: The file matches an entry in the NSRL database or Ivanti has gathered enough information to believe that the file is safe.

Bad: The file doesn't match any NSRL database entries or Ivanti has gathered enough information to believe that the file isn't safe.

Undecided: There aren't any matches on this file or there aren't enough matches to help decide whether the file is good or bad.

Among other factors, the file reputation algorithm considers how often matching files occur, how old the matches are, who signed the files, and how often those occurrences are allowed or blocked in Endpoint Manager.

To use file reputation monitoring on managed devices, you need to complete the following steps:

1.Download the file reputation Ivanti updates

2.Create an application control agent setting that uses file reputation

-Or-

Include the reputation definitions as part of the application file list

3.Deploy the setting to managed devices

ClosedTo download file reputation Ivanti updates

1.Click Tools > Security and compliance > Patch and compliance.

2.Click the Download updates toolbar button.

3.In the Definition types list, click Ivanti File Reputation Updates.

4.In the confirmation dialog box, read the terms of use for file reputation. If you agree to the terms, click I agree. Clicking I disagree will clear the Ivanti File Reputation Updates check box.

5.Click the Download now or Apply button.

ClosedTo use file reputation with Application Control

1.Click Tools > Security and compliance > Agent settings.

2.In the tree under Agent settings > My agent settings > Security > Endpoint Security, right-click Application control and click New, or double-click an existing setting.

3.On the General settings page, select Treat "good reputation" files as if they are in the associated trusted files list.

4.Click the "Good reputation" application behavior button.

5.Configure the Application control and Ivanti firewall behaviors that you want for files with a good reputation.

6.Click OK and then click Save.

ClosedTo use file reputation with an Application File List

1.Click Tools > Security and compliance > Agent settings.

2.In the tree under Agent settings > My agent settings > Security > Endpoint Security, right-click Application file lists and click New, or double-click an existing list.

3.Enable the options at the top of the dialog box to Automatically include "good reputation" files when sending list to clients or Automatically include "bad reputation" files when sending list to clients.

4.If you include good reputation files, click the Allowed application behavior button to configure the Application control and Ivanti firewall behaviors that you want for files with a good reputation.

5.Click OK.

ClosedTo add files to an application file list

1.Click Tools > Security and compliance > Agent settings.

2.Click the Configure settings toolbar button, and click File reputations.

3.Double-click the application file list you want to modify or create a new one.

4.On the Application file list toolbar, click and click Add file by browsing or Add block file by inputting name.

5.Depending on the option you chose, browse for the file you want and click Save, or enter the file details manually and click OK.

ClosedTo deploy file reputation agent settings to managed devices

1.In the Agent settings window, click the Create a task toolbar button and click Change settings.

2.Depending on your preference, select a scheduled task or policy for the settings change task type.

3.Next to Endpoint security in the settings list, select the endpoint security setting that uses the application control setting you configured.

4.Click OK and finish configuring the task in the Scheduled tasks window.

ClosedTo override existing file reputations

1.Click Tools > Security and compliance > Agent settings.

2.Click the Configure settings toolbar button, and click File reputations. To sort the list of files, use the checkboxes at the top of the page and click Apply filter.

3.Select the files whose reputations you want to change and click the Override reputation button.

4.Make sure that Override Ivanti reputation setting is checked, and select the Desired reputation.

5.Click OK.

ClosedTo import from other application file lists

1.Click Tools > Security and compliance > Agent settings.

2.In the tree under Agent settings > My agent settings > Security > Endpoint Security, right-click Application file lists and click New, or double-click an existing list.

3.On the Application file list toolbar, click and click Import from other application file lists.

4.Apply filters if necessary and select the files you want to import. Click Next.

5.Configure the application behaviors you want for the files you selected and click OK.

6.Click OK again to save your changes to the application file list.

ClosedTo import file lists from a .csv file

1.Click Tools > Security and compliance > Agent settings.

2.In the tree under Agent settings > My agent settings > Security > Endpoint Security, right-click Application file lists and click New, or double-click an existing list.

3.On the Application file list toolbar, click and click Import from .csv file.

4.Browse for the .csv file containing the application file list information and click Open.

5.Configure the imported files if necessary and click OK.

The .csv file format is as follows:

"File name", "File size", "Version", "Manufacturer name", "Product name", "MD5 hash base64 string", "SHA1 string", "SHA256 string", "Permissions"

Here's an example CSV entry:

"abc.exe","4032","1.1.0.0","Company-1.","Product1","CWhlIHF1aWNrIGJyb3duIA==","a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08","AuthorizedInstaller AllowExecution BypassBufferOverflow"

The allowed permission strings are the following:

  • AuthorizedInstaller: allow file to install
  • AllowExecution: allow file to execute
  • BypassBufferOverflow: bypass buffer overflow protection
  • ModifyProtRegKeys: modify protected registry keys
  • ProtAppInMem: protect application in memory
  • ModifyExeFiles: modify executable files
  • ModifyProtFiles: modify protected files
  • BypassAllProtection: bypass all protection
  • AddToSysStartup: add to system's startup
  • InheritToChildProc: rights are inheritable to child processes
  • AllowSmtpOut: allow file send email
  • AllowNetConnect: allow application to connect outside the trusted scope (internet)
  • AllowNetListen: allow application to receive connection inside the trusted scope (internet)
  • AllowTrustedNetConnect: allow application to connect inside the trusted scope
  • AllowTrustedNetListen: allow application to receive connection inside the trusted scope
ClosedTo import file lists from trusted devices

1.Click Tools > Security and compliance > Agent settings.

2.In the tree under Agent settings > My agent settings > Security > Endpoint Security, right-click Application file lists and click New, or double-click an existing list.

3.On the Application file list toolbar, click and click Import from trusted devices.

4.Select the devices you want and click Import files from specified devices.

5.If you want to do an exhaustive scan for .exe files from those devices, click Yes.

6.Configure the imported files if necessary and click OK.

ClosedTo merge application file lists

1.Click Tools > Security and compliance > Agent settings.

2.In the tree under Agent settings > My agent settings > Security > Endpoint Security, right-click Application file lists and click Merge application files.

3.Select the application file list that you want to be the Source list.

4.Select whether you want to merge differences or replace application files.

5.Select the target lists for the merge operation.

6.Click OK.