Sample Scenarios
This section describes some useful tasks you can create with Application Control
Solution.
Task Prerequisites
Ensure the following Application Control policies are enabled:
- Application Control Agent Configuration Policy - Set Send Application Action Events and Refresh Client Item Cache intervals to one and five minutes respectively. See Application Control Agent Configuration (page 32).
Caution
This configuration is not recommended outside a testing environment as it degrades system performance. It is only configured so the following sample scenario results can be viewed immediately.
- The Default File Inventory Policy with its default configuration. See File
Inventory Agent Configuration (page 41).
Scenarios
- Whitelisting Software Packages (page 48)
- Whitelisting Reference Systems (page 49)
- Restrict an Application's Process Rights (page 50)
- Automate Document Encryption (page 50)
- Prevent Malicious Applications from Running (page 51)
- Prevent Read/Write to File Types or Network Locations (page 52)
- Run an Application in an SVS Layer (page 53)
- Quarantine Files (page 53)
Whitelisting Reference Systems
In this scenario you will create a reference system whitelist policy that targets a collection of computers, searches for Windows executables, then adds any Windows executables not currently in a security catalog to a whitelist. You will also add applications already included in a security catalog to the whitelist.
To create a reference system whitelist policy
1. In the Altiris Console, click the Tasks tab.
2. In the left pane, right-click Tasks > Security Management > Application Control > Windows > Application Control Tasks > Application Control Policies.
3. Select New > Reference System Whitelist.
4. In the right pane, configure the fields as follows:
? Check Enable.
? Computers - Leave the default setting, All Windows Computers with
Application Control Agent Installed.
? Reference System Options, Computers - In the dialog, select the computer collection you wish to target with the policy.
? File Specification(s) - In the dialog, select Executables in Windows
Directories.
? Reporting Filter - In the dialog, select Executables in Windows Directories not present in Security Catalogs.
? Applications to Control, Application - In the dialog, select Present in Signed
Security Catalog.
5. Click Apply.
Altiris Application Control Solution Help 49
Restrict an Application's Process Rights
This scenario describes the process involved in restricting an application's process rights. This sample scenario guides you through the necessary steps, using the default Limit Internet Explorer and Outlook process rights policy.
Scenario Description
In this scenario, the end user has:
? Internet Explorer installed
? A user account with administrative rights
? Network Messenger Service enabled and running
With this configuration, Internet Explorer has inherited administrative rights from the user and is therefore able to stop Windows Services.
Scenario Resolution
To prevent Internet Explorer from stopping Windows services, perform the following steps:
1. In the Altiris Console, select the Tasks tab.
2. In the left pane, select Tasks > Security Management > Application Control > Windows > Application Control Tasks > Application Control Policies > Limit Internet Explorer and Outlook process rights.
3. In the right pane, select Enable.
4. Open Internet Explorer, select File > Open and browse to cmd.exe in the SYSTEM
directory.
5. Attempt to stop the MSN Messenger service using the command line: NET STOP Messenger.
An Application Control message appears on the taskbar stating "IEXPLORER.EXE has had its rights reduced" and you are unable to stop the service.
Automate Document Encryption
This section describes the process involved in automatic document encryption. For this scenario you will create a policy to enforce document encryption for all Microsoft Excel Spreadsheets.
Scenario Description
In this scenario, the end user has:
? Two user accounts
? Microsoft Excel
Scenario Resolution
To automatically encrypt Microsoft Excel spreadsheets, perform the following steps:
1. In the Altiris Console, select the Tasks tab.
Altiris Application Control Solution Help 50
2. In the left pane, select Tasks > Security Management > Application Control >
Windows > Application Control Tasks > Manage Applications.
3. In the right pane, click ? and select Automate Document Encryption Policy.
4. In Step 1 of the Application Control Wizard, click Next.
5. In Step 2, click the Include: link and in the Items Selector dialog, select MS Excel. Click Next.
6. In Step 3, Policy Details, configure as follows:
a. Select Enable.
b. In the Name field, enter Encrypt Microsoft Excel Spreadsheets.
c. In the Description field, enter "This policy will automate the encryption of all spreadsheets created or modified by Microsoft Excel."
d. Click Finish.
7. Open Microsoft Excel, create a new spreadsheet, save it, and close the application.
8. Open Windows Explorer and browse to the new file. The filename will appear green.
Checking the Advanced Attributes on the file properties shows that the file is encrypted.
9. To verify that the encryption is working, log on using a different user account and attempt to open the file.
Prevent Malicious Applications from Running
This scenario shows you how to prevent the end user from running cmd.exe.
Scenario Description
In this scenario:
? The end user has run C:\windows\system32\cmd.exe at least once since the
Application Control Agent was installed.
? File Inventory Agent has returned file inventory to the Notification Server.
Scenario Resolution
To automatically encrypt Microsoft Excel spreadsheets, perform the following steps:
1. In the Altiris Console, select the Tasks tab.
2. In the left pane, select Tasks > Security Management > Application Control >
Windows > Application Control Tasks > Manage Applications.
3. In the right pane, enter "cmd" in the Win32 Executable field and click Refresh.
4. Select all rows of the grid and click the Blacklist button.
5. Run Collection Delta Update Schedule. For instructions, see Notification Server Help.
6. Enable the Deny Blacklist execution policy. See Manage Applications (page 28).
7. On a managed computer, start cmd.exe. The cmd.exe will not start and you receive a system tray message.
Altiris Application Control Solution Help 51
Prevent Read/Write to File Types or Network
Locations
Scenario Description
In this scenario, the end user has the following installed:
? Microsoft Word
? Microsoft Excel
Scenario Resolution
1. On the managed computer, create a Microsoft Word document and save it to c:\company invoices\invoice 101.doc.
2. In the Altiris Console, select the Tasks tab.
3. In the left pane, select Tasks > Security Management > Application Control >
Windows > Application Control Tasks > Application Control Policies.
4. In the left pane, right-click Application Control Policies and select New >
Application Control Policy.
5. Configure the policy as follows:
? Name - "Write-protect Word documents in the Company Invoices directory"
? Description - Prevent Microsoft Word from having write access to, or creating new Word documents in the company invoices directory
? Applies To: - All Computers with Application Control Agent Installed
? Send Application Action Event - Enabled
? Continue enforcing lower priority policies after enforcing this policy - Enabled
6. Click the Include Filters link, select MS Word in the Items Selector dialog, and click Apply.
7. Under Application Actions, click the Actions link.
8. In the Items Selector dialog, click ? , and select Deny File Access Application
Action.
9. In the Deny File Access dialog, enter the following in the appropriate fields:
? Name - Prevent write access of Word documents to Company Invoice directory
? Path - C:\company invoices
? Mime type - Word document
10. Click Apply and close the dialog.
11. In the Items Selector dialog, click ?, select the new Deny File Access
Application Action, and click Apply.
12. Enable the policy and click Apply.
13. In Microsoft Word, open C:\company invoices\invoice 101.doc. The file is read only and can't be modified.
Altiris Application Control Solution Help 52
Other Scenario Tests
1. Create a new document and attempt to save it to c:\company invoices\. You will be unable to open it and will receive a File Permission error.
2. Verify that a Word document can be created or modified in a different directory.
3. In Microsoft Excel, save a spreadsheet to the same location as Step 1. The permissions are limited to Microsoft Word.
Run an Application in an SVS Layer
This scenario shows you how to capture application data in a Software Virtualization
Solution layer.
Scenario Description
In this scenario, the end user has the following installed:
? Microsoft Word
Scenario Resolution
1. On the managed computer, create the Microsoft Word document
C:\document\important document.doc.
2. In the Altiris Console, select the Tasks tab.
3. In the left pane, select Tasks > Security Management > Application Control >
Windows > Application Control Tasks > Manage Applications.
4. In the right pane, click ? and select Run an application in an SVS layer.
5. In Step 1 of the Application Control Wizard, click Next.
6. In Step 2, select MS Word as the Include Filter.
7. In Step 3, configure the policy details as follows, and click Finish:
? Select Enable.
? Name - Run Microsoft Word in an SVS layer.
? Description - Capture Microsoft Word data in an SVS layer.
8. In Microsoft Word, create a document and save it to C:\document\suspect document.doc.
9. Close Microsoft Word.
10. Verify the document is not visible in Windows Explorer; it has been isolated by the layer.
11. Disable the policy and attempt to open the document. The document will no longer exist as the layer is no longer active for Microsoft Word.
Quarantine Files
This scenario shows you how to quarantine a known malicious application.
Altiris Application Control Solution Help 53
Scenario Description
Copy and rename cmd.exe: "C:\Virus\malicious application.exe".
Scenario Resolution
1. On the managed computer, create the Microsoft Word document
C:\document\important document.doc.
2. In the Altiris Console, select the Tasks tab.
3. In the left pane, select Tasks > Security Management > Application Control >
Windows > Application Control Tasks > Manage Applications.
4. In the right pane, click ? and select Quarantine an application policy.
5. In Step 1 of the Application Control Wizard, click Next.
6. In Step 2, click the Include link.
7. In the Items Selector dialog, click ? , and select Dynamically Evaluated Filters
> Win32 Executable File Filter.
8. In the Win32 Executable File Filter dialog, enter the following in the appropriate fields:
? Name - Quarantine Malicious Applications
? File Name - Malicious application.exe
9. Click Apply and close the dialog.
10. In the Items Selector dialog, click ?, select the newWin32 Executable File
Filter, and click Apply.
11. In Step 3, Enable the policy, configure the policy as follows, and click Apply:
? Name - Quarantine Malicious Applications.
? Description - This is a sample policy for demonstrating the quarantine capabilities of Application Control Solution.
12. Run malicious application.exe on the managed computer.
13. A message appears and the file is moved to C:\quarantined files.