Application control overview
Application control provides another layer of protection — on top of patch management, antivirus, anti-spyware, and firewall configuration — to prevent the intrusion of malicious activity on your managed devices. Application control continuously monitors specified processes, files, applications, and registry keys to prevent unauthorized behavior. You control which applications run on devices and how they are allowed to execute.
Because it is a rule-based system, instead of a definition-based (i.e., signature-based) system, application control is more effective at protecting systems against zero-day attacks (malicious exploitation of vulnerable code before exposures are discovered, defined, and patches made available).
Unlike vulnerability detection and remediation, spyware detection and removal, or antivirus scanning and quarantine; application control protection does not require ongoing file updates, such as patch files, definition/pattern files, or signature database files.
Application control protects servers and workstations by placing software agents between applications and the operating system’s kernel. Using predetermined rules based upon the typical behavior of malware attacks, these systems evaluate activities such as network connection requests, attempts to read or write to memory, or attempts to access specific applications. Behavior known to be good is allowed, behavior known to be bad is blocked, and suspicious behavior is flagged for further evaluation.
The Application control settings are accessed from the main console (Tools > Security and Compliance > Agent Settings). The Application control agent setting lets you create application control agent installation, update, and removal tasks; configure application control settings that can be deployed to targeted devices you want to protect; and customize application control display/interaction settings that determine how application control appears and operates on managed devices, and which interactive options are available to end users. You can also view endpoint security activity and status information for protected devices in the Security activity tool (Tools > Security and Compliance > Security activity).
Component of Endpoint Security
Application control is one of the components of the comprehensive Endpoint Security solution, along with the Location Awareness (network connection control), Ivanti Firewall, and Device Control tools.
Application control proactively protects your managed devices from by:
- Providing kernel-level protection against applications that would attempt to modify binaries (or any files you specify) on your machine or application memory of running processes. It will also block changes to certain areas of the registry and can detect rootkit processes.
- Using memory protection against buffer-overflow and heap exploits.
- Executing protection schemes to keep an attacker from building and executing code in a data segment.
- Watching for unauthorized or unusual file access.
- Offering real-time protection for your computer without relying on signature databases.
Application control offers the following system-level security:
- Kernel-level, rule-based file-system protection
- Registry protection
- Startup control
- Detection of stealth rootkits
- Network filtering
- Process and file/application certification
- File protection rules that restrict actions that executable programs can perform on specified files
Application control provides administrators with the ability to define and manage separate profiles for different user groups with application control settings. Endpoint security settings accommodate the needs of any and all user groups by allowing administrators to create multiple, highly flexible configurations for different user profiles.
Application control settings can include custom password protection, WinTrust handling, protection mode, custom whitelists, network and application access control policies, file certifications, and file protection rules.
The Endpoint Security client (deployed to managed devices) gives administrators a powerful new tool for controlling what applications run on enterprise desktops and servers, and how those applications are allowed to execute.
Application control client software uses proven heuristic and behavior-recognition techniques to recognize typical patterns and actions of malicious code. For example, a file that attempts to write to the system registry could be blocked and flagged as potentially malicious. The application control component uses a variety of proprietary techniques to reliably detect malware even before a signature has been identified.
For up-to-date detailed information on which device platforms and antivirus products support application control (endpoint security), see the endpoint security FAQ on the Ivanti User Community:
IMPORTANT: Endpoint security is not supported on core servers or rollup cores
You should not install/deploy endpoint security to a core server or a rollup core. However, you can deploy endpoint security on an additional console.
Do NOT deploy application control to devices with any other antivirus product installed.
In order to use Endpoint Security and application control, you must first activate your core server with a license that allows their use.
For information about licensing, contact your reseller, or visit the Ivanti website:
Endpoint security, like Patch and Compliance, uses role-based administration to allow users access to features. Role-based administration is the access and security framework that lets Ivanti Administrators restrict user access to tools and devices. Each user is assigned specific roles and scope that determine which features they can use and which devices they can manage.
Administrators assign these roles to other users with the Users tool in the console. Endpoint security is included in the Agent Settings right, which appears under the Security rights group in the Roles dialog box. In order to see and use endpoint security features, a user must be assigned the necessary Agent Settings access rights.
With the Agent Settings right, you can provide users the ability to:
- See and access the endpoint security features in the console's Tools menu and Toolbox
- Configure managed devices for endpoint security protection
- Manage endpoint security settings (password protection, signed code handling, action, protection mode, file certifications, file protection rules, etc.)
- Deploy endpoint security install or update tasks, and change settings tasks
- View endpoint security activity for protected devices
- Define endpoint security data threshold settings for recording and displaying endpoint security activity
Endpoint security main tasks outline
The list below outlines the main tasks involved in configuring, implementing, and using endpoint security protection. See feature-specific help topics for detailed conceptual and procedural information.
- Configure managed devices for endpoint security protection (deploying the agent to target devices).
- Configure endpoint security options with endpoint security settings, such as signed code handling, protection mode, whitelists (applications allowed to execute on devices), file certifications, file protection rules, and end user interactive options.
- Discover file and application behavior on devices with the endpoint security learn mode.
- Enforce endpoint security protection on managed devices with the endpoint security automatic block mode.
- View endpoint security activity for protected devices.