Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Application Actions

The Application Actions folder contains all the operations that can be processed before a certain application can be run on a managed computer. Each action can be referenced by an Application Control policy and determines the environment in which the application will run or be restricted.

(info)

Note:
We recommend using the Application Control Wizard to create policies and to associate actions, filters, and target computers. See Application Control Wizard  

To access the Application Actions:

  • In the Symantec Management Console, on the Home menu, click Once you are in Arellia > Application ControlIn the left pane, select Policies > Application Control > Application Control Tasks > Application Actions select the Policies tab
  • Select Application Control > Actions

Image Added

The default application actions are described in detail in the following table:

Action

Description

Active X Installer

The ActiveX installer action allows an application (Example: Internet Explorer) to automatically install ActiveX components at an elevated privilege level. ActiveX Components are reported by the File Inventory "Com Component Inventory" policy, which reports on downloaded ActiveX components.

Application Metering

The Application Metering action meters the usage of applications. It reports the usage according to application control agent "Send Events" configuration option. There are no configurable options for this action.

Deny File Access

 

Deny Read/ Write Access To Microsoft Office Documents Document Files

Deny read or write access to Microsoft* Office documents by selecting the appropriate check box. Filter the application by:

  • File Path
  • File Extensions
  • Mime Types

Deny Write Access to Executable Files

Deny write access to common executable files. Filter the application by:

  • File Path
  • File Extensions
  • Mime Types

New Deny File Access Action

Deny a file read or write access by selecting the appropriate check box. Filter the application by:

  • File Path
  • File Extensions
  • Mime Types

    Encrypt Application Files

     

    Encrypt Common Application Documents

    Encrypt an application's documents. Filter the application by:

    • File Path
    • File Extensions
    • Mime Types

    Encrypt Microsoft Office Documents

    Encrypt Microsoft Office documents. Filter the application by:

    • File Path
    • File Extensions
    • Mime Types

    Environment Variables

    This action will set a specified environment variable with a specific value

    Execute Application

    This action will execute a specific application with commands

    Messages

     

    Advanced

    New to SP3

    Application Denied Message

    This action will deny an application from being run and display a dialog window that explains why this application is denied along with a link to the Company's policy page.

    Application Warning Message

    This action will allow an application to run after displaying a dialog window that warns the user that this application has not been approved yet.

    Justify Application Elevation Message

    This action will cause a dialog window appear after a user requests to run a program as an administrator, they will then need to justify why they need admin rights for that application. This justification will then appear in reports on the Notification Server.

    Justify Application Message

    This action will allow an application to run after displaying a dialog window that has the user justify why they need to run this application. This justification will then appear in reports on the Notification Server.

    Basic

     

    Deny Execute Message

    Configure this message to appear when a user attempts to run a certain application. You can configure:

    • Action name and description
    • Message Title
    • Body - Substitute the bracketed numbers for process, path, and process ID values if required.
    • Icon Type - Select Information, Warning, Error, Altiris, or Program.
    • Timeout - Enter the number of seconds you want the message displayed.

    Deny Files Read and Write Access Message

    Configure this message to appear when a user has read or write restrictions on a certain application. You can configure:

    • Action name and description
    • Message Title
    • Body - Substitute the bracketed numbers for process, path, and process ID values if required.
    • Icon Type - Select Information, Warning, Error, Altiris, or Program.
    • Timeout - Enter the number of seconds you want the message displayed.

    Limit Process Rights for New Applications Message

    Configure this message to appear to the user informing them that an application has had its rights reduced. This message is configured the same as Default Deny Execute Message, above.

    Quarantine Message

    Configure this message to appear when you have quarantined an application. This message is configured the same as Default Deny Execute Message, above.

    Remove Rights Message

    Configure this message to appear when you have restricted a user's rights on an application. This message is configured the same as Default Deny Execute Message, above.

    SVS Global Layer User Message

    Configure this message to appear when a user opens an application placed into the global virtualization layer. This message is configured the same as Default Deny Execute Message, above.

    SVS Isolation Layer User Message

    Configure this message to appear when a user opens an application placed into the isolation virtualization layer. This message is configured the same as Default Deny Execute Message, above.

    Windows Hooking Message

    Configure this message to appear when you prevent an application from starting, as the software may attempt to perform a restricted operation. You can configure:

    • Action name and description
    • Message Title
    • Body - Substitute the bracketed numbers for the process.
    • Icon Type - Select Information, Warning, Error, Altiris, or Program.
    • Timeout - Enter the number of seconds you want the message displayed.
     

    New Display user Message Action

     

     

    Configure a new message to appear when a certain action is performed. This message is configured the same as Default Deny Execute Message, above.

    To create a new Display User Message:

    • Right-click on Messages and select New > Display User Message
    • Select the new action and configure it in the right panel and select Save.

    My Actions

    This action folder can be used to store actions that are created by you.

    Process Rights

     

    Add Administrative Rights

    This action elevates the permissions and privileges held by a process security token. By default, each process a user launches inherits the user's security token. You can configure:

    • Action name and description.
    • Action Type - Elevate or restrict rights. Elevate is enabled by default.
    • Windows Privileges - Select Windows Privileges for this action.
    • Built-in Accounts - Select Built-in Accounts for this action. You can also select User or Domain Groups.
    • Use user's unrestricted token - Use Windows Vista and Windows 7 user's unrestricted token when elevating rights.
    • Disallow changes to the process rights after applying changes - Prevent any changes to Windows Vista and Windows 7 user's process rights after the action has been applied.

    Remove Administrative Rights

    This action is the same as Default Add Administrative Rights except Restrict is enabled by default.

    Process Security

    New to SP3

    Locked down Service Process Security Descriptor

    This action is used to lock a process down according to a Security Descriptor when the process is started.

    Quarantine

     

    File Quarantine

    Create a quarantine path for applications. You can:

    • Enter an action name and description.
    • Choose to use the Application Control Agent Policy quarantine path.
    • Enter your own quarantine path.

    New File Quarantine

    Create To create a new quarantine path for applications. You can:

  • Enter an action name and description.
  • Choose to use the Application Control Agent Policy quarantine path.
  • Enter your own quarantine path.

    :

    • Right-click File Quarantine and select Clone.
    • Give the new action a name.
    • Select the new action and configure it in the right panel and select Save.

    Workspace Visualization Layers

     

    Application Control SVS Global Layer

    Create an SVS layer that certain applications must run under. You can:

    • Enter an action name and description.
    • Enter a Layer Name.
    • Select a Layer Type - Isolation or Application.

    Application Control SVS Isolation Layer

    Create an SVS layer that certain applications must run under. You can:

    • Enter an action name and description.
    • Enter a Layer Name.
    • Select a Layer Type - Isolation or Application.

    New Apply SVS Layer Action

    Create To create a new SVS layer that certain applications must run under. You can:

    • Enter an action name and description.
    • Enter a Layer Name.
    • Select a Layer Type - Isolation or ApplicationRight-click on SVS Layers and select New > Apply SVS Layer
    • Select the new action and configure it in the right panel and select Save.

    Deny Execute

    Prevent a managed computer from executing an application. Enter an action name and description in the appropriate fields.

    Deny Windows Hooking

    Prevent applications from hooking into Windows functions. Enter an action name and description in the appropriate fields.