Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Background

Arellia Application Control Solution is a powerful solution that was designed to control any application on a machine. When Arellia is configured correctly, targetted applications can be elevated, whitelisted, and/or blacklisted. When new policies are created without carefully considering what the policy is doing, or if a policy is not tested on a limited number of machines before it is rolled out to the entire environment, customers can potentially roll-out a policy that blocks core system processes from running. 

When Arellia is installed, one of the policies that is enabled by default is the "Deny Manual Security Rated Blacklist Execution" this policy is a blacklist that uses the "All Blacklist Security Rated Applications" filter. That filter is empty by default, which means that the built-in deny policy is targeting 0 applications and can be left enabled without any effect on the environment. This policy is different then new application control policies that are created manually. New policies start with the applications to control being undefined, which means that they will target all applications until application filters are used to narrow the scope of the new policy.

As a safety precaution, any newly created application control policy is turned off until they are enabled manually. Policies should not be enabled until after they have been configured.

Problem

A manually created blacklisting or deny execute policy that has no application targets will apply to all programs and services and prevent them from running on an end-user's machine. If a new deny execute policy is created and enabled with out limiting the application target scope of the policy, the bad blacklist policy will get rolled out and begin denying execution of all applications. This include userinit.exe which will prevent users from logging in after a reboot. Those computers will act as if they are frozen because no new processes can get created.

Solution

  1. First login to the Arellia Management Console on the Server and disable the bad Blacklisting Policy.
  2. Restart the computer that has been effected by the Blacklisting Policy in Safe mode.
  3. Open the Administrator Tools in the Control Panel and then Services.
  4. Find Arellia Application Control, right click and select Properties.
  5. Change the Startup Type to Disabled, Click OK and restart the computer.
  6. After restarting the computer right click on the Symantec Management Agent icon in the taskbar and select Symantec Management Agent Settings and then click Update to update your policy.
  7. You should now be able to open all the programs and services that were previously blacklisted.
  8. Open Services again from the Control Panel and change the Arellia Application Control Startup Type to Automatic.
  9. Restart your computer and everything should work as normal.

How to Avoid this Problem

Short-answer:

Test policies on a limited number of machines before rolling them out to the entire environment. 

Long-answer:

New Policies:
  1. Right-click the Policies folder and select New > Deny Application Execution Policy. This will create an empty deny policy that is disabled.
  2. If you are creating a deny policy for a specific application, or a specific group of applications. Change the Applications: line to one or more specific application filter(s)
  3. Deny Execute (Blacklist) policies should target specific applications unless being used in conjunction with whitelist policies and have been tested before rolling out to the entire environment. 
    1. If being used in conjunction with whitelist policies, verify that the whitelist is catching all system applications and that the new blacklist is the last policy executed. For additional safety you can define the exclude any parameter to exclude system and service applications. 
    2. By leaving the application target undefined, the policy will target all applications. This is a desired effect for a catch-all blacklist policy.
  4. After the policy has been configured, test it on a few machines, and then roll it out to everyone.

 

Existing Policies:
  1. To ensure blacklist policies do not affect system or service applications: from the Arellia Management Console click on Policies, open Policies->Arellia->Application Control->Policies and select your Blacklisting Policy.
  2. Select they hyperlink next to Exclude Any:
  3. Then select Arellia->Application Control->Filters->Dynamic Filters->Application Context-> "Local System and Service application" and move that to the right side. Doing so should prevent the blacklist policy from stopping any Windows Services and Programs from running. This will allow you to update a policy and recover from a bad Deny Execute (blacklist) condition.

          

  • No labels