Application Actions
The Application Actions folder contains all the operations that can be processed before a certain application can be run on a managed computer. Each action can be referenced by an Application Control policy and determines the environment in which the application will run or be restricted.
Note
We recommend using the Application Control Wizard to create policies and to associate actions, filters, and target computers. See Application Control Wizard
To access the application actions folder
- In the Altiris Console, click the Tasks tab.
- In the left pane, select Tasks > Security Management > Application Control >
Windows > Application Control Tasks > Application Actions.
The default application actions are described in detail in the following table:
Action |
Description |
---|---|
Active X Installer |
The ActiveX installer action allows an application (Example: Internet Explorer) to automatically install ActiveX components at an elevated privilege level. |
Application Metering |
The Application Metering action meters the usage of applications. It reports the usage according to application control agent "Send Events" configuration option. |
Default Deny Files Read and Write Access |
Deny read or write access to a certain application by selecting the appropriate check box. Filter the application by:
|
Deny Read/ Write Access To Microsoft Office Documents |
Deny read or write access to Microsoft* Office documents by selecting the appropriate check box. Filter the application by:
|
Deny Write Access to Executable Files |
Deny write access to common executable files. Filter the application by:
|
New Deny File Access Action |
Deny a file read or write access by selecting the appropriate check box. Filter the application by:
|
Encrypt Common Application Documents |
Encrypt an application's documents. Filter the application by:
|
Encrypt Common Microsoft Office Documents |
Encrypt common Microsoft Office documents. Filter the application by:
|
Deny Execute Message |
Configure this message to appear when a user attempts to run a certain application. You can configure:
|
Deny Files Read and Write Access Message |
Configure this message to appear when a user has read or write restrictions on a certain application. You can configure:
|
Action Description
Encrypt Doc
Message
Limit Process Rights for New Applications Message
New Display user Message Action
Quarantine
Message
Remove Rights
Message
SVS Global Layer User Message
SVS Isolation Layer User Message
Windows Hooking Message
Configure this message to appear when a document is encrypted. This message is configured the same as Default Deny Execute Message, above.
Configure this message to appear to the user informing them that an application has had its rights reduced. This message is configured the same as Default Deny Execute Message, above.
Configure a new message to appear when a certain action is performed. This message is configured the same as Default Deny Execute Message, above.
Configure this message to appear when you have quarantined an application. This message is configured the same as Default Deny Execute Message, above.
Configure this message to appear when you have restricted a user's rights on an application. This message is configured the same as Default Deny Execute Message, above.
Configure this message to appear when a user opens an application placed into the global virtualization layer. This message is configured the same as Default Deny Execute Message, above.
Configure this message to appear when a user opens an application placed into the isolation virtualization layer. This message is configured the same as Default Deny Execute Message, above.
Configure this message to appear when you prevent an application from starting, as the software may attempt to perform a restricted operation. You can configure:
? Action name and description
? Message Title
? Body - Substitute the bracketed numbers for the process.
? Icon Type - Select Information, Warning, Error, Altiris, or
Program.
? Timeout - Enter the number of seconds you want the message displayed.
Altiris Application Control Solution Help 18
Action Description
Add Administrative Rights
Remove Administrative Rights
This action elevates the permissions and privileges held by a process security token. By default, each process a user launches inherits the user's security token. You can configure:
? Action name and description.
? Action Type - Elevate or restrict rights. Elevate is enabled by default.
? Windows Privileges - Select Windows Privileges for this action.
? Built-in Accounts - Select Built-in Accounts for this action.
You can also select User or Domain Groups.
? Use user's unrestricted token - Use Windows Vista user's unrestricted token when elevating rights.
? Disallow changes to the process rights after applying changes - Prevent any changes to Windows Vista user's process rights after the action has been applied.
This action is the same as Default Add Administrative Rights
except Restrict is enabled by default.
File Quarantine Create a quarantine path for applications. You can:
? Enter an action name and description.
? Choose to use the Application Control Agent Policy quarantine path.
New File
Quarantine
Application Control SVS Global Layer
Application Control SVS Isolation Layer
? Enter your own quarantine path.
Create a new quarantine path for applications. You can:
? Enter an action name and description.
? Choose to use the Application Control Agent Policy quarantine path.
? Enter your own quarantine path.
Create an SVS layer that certain applications must run under. You can:
? Enter an action name and description.
? Enter a Layer Name.
? Select a Layer Type - Isolation or Application.
Create an SVS layer that certain applications must run under. You can:
? Enter an action name and description.
? Enter a Layer Name.
? Select a Layer Type - Isolation or Application.
Altiris Application Control Solution Help 19
Action Description
New Apply SVS Layer Action
Create a new SVS layer that certain applications must run under. You can:
? Enter an action name and description.
? Enter a Layer Name.
? Select a Layer Type - Isolation or Application.
Deny Execute Prevent a managed computer from executing an application.
Enter an action name and description in the appropriate fields.
Deny Windows
Hooking
Prevent applications from hooking into Windows functions. Enter an action name and description in the appropriate fields.