This document shows you how to create a whitelist policy for your reference system that targets a collection of computers, searches for Windows executables, and then adds any Windows executables to a whitelist.
Create a Resource Target
First you will need to create a resource target that contains the desired reference system(s). To create a resource target, do the following steps:
- In the Security Manager Console, click the Resources tab.
- In the left pane, click Resource Filters.
- Right-click the Resource Target folder.
- Click New > Resource Targets > Resource Target.
- Enter a name and description.
- Click OK.
- In the right pane under Filtering Rules, click the Add rule button.
- In the Then menu, "excludes computers not in" will be the default.
- In the menu just to the right of the Then menu, choose Computer List.
- Then click Select.
- In the Select Item window that opens, click the computer resources that represent your reference system(s).
- Click OK.
Create a File Scan Policy
Now that you have your targeting established you can create a file scan policy to add files to your whitelist.
- In the Security Manager Console, click the Policies tab.
- In the left pane, navigate to the Arellia Solutions > File Inventory > Policies folder.
- Right-click the Policies folder and click New > General Scheduled Client Task.
- In the Create Item dialog box, give the task a name and description.
- Under Client Command, click the Select link.
- In the Client Command dialog box, click File Scan Command.
- Click OK.
- Under Resource Targets, click the All Managed Computers (Target) link.
- In the Resource Targets dialog box, choose the endpoints you want to include in the policy.
- In the Create Item dialog box, click OK.
- Configure the new policy settings as follows:
- Turn on the new policy.
- Under File Specifications choose Executables in Windows Directories.
- Under Reporting Specifications choose Executions in Windows Directories not present in Security Catalogs.
- Configure the schedule interval for how often the file scan will execute.
Note: During the initial testing phase the file scan can be started manually using Windows Task Scheduler on the reference system.
- Click Save.
File Parameter Collection
Once the file scan has run on the reference system(s) you will have a list of all executables in the Windows directories that are not contained in a security catalog.
You can create a file parameter collection that contains this list of files which can then be used in a whitelist policy
- Open the Policies tab
- Right click on the Arellia Solutions > Application Control > Filters > File Parameter Collections folder and create a new File Scan Results Filter
- Give the filter a name and optional description
- Click OK
- Configure the parameters to reflect the File Scan policy settings
- Set the File Scan Policy to the policy created in the above steps
- Set the Reporting Filter to the same one that was configured in the above steps
- Set the Results to be Included
- Click Save
Whitelist Policy
Once all of the above steps have been completed you are able to put them all into a Reference System Whitelist Policy.
- Open the Policies tab
- Right click on the Arellia Solutions > Application Control > Policies > Whitelisting folder and create a new Blank Application Control Policy
- Give the policy a name and optional description
- Set the Applications to the file parameter collection created above
- Under Policy Enforcement
- Set the Policy priority to be a number that is lower than your orange list / deny policy priorities
- Ensure that Continue enforcing policies after enforcing this policy is unchecked
- Click Save
You now have a working reference system whitelist policy configured.