Index

This chapter covers the most common tasks when working with Application Control Solution. Creating Application Policies Creating Application Actions Creating application filters A full history of when particular features were introduced can be found here

This chapter details the installation requirements and procedures for Application Control Solution. Prerequisites The following software must be installed before installing Application Control Solution on Notification Server: Altiris® Notification Server™

This action allows a process to be protected from most tampering by users. This feature was Introduced in version 7.1 SP3 Adjust process security In Arellia Application Control Solution 7.1 SP3 the ability to adjust process security was added. This featur

This feature was introduced in 7.1 SP3. This feature requires that the Microsoft .Net Framework is installed on client machines. Advanced Feedback Messages are used to collect justifications from the end user. These justifications can be for a request to

These skinnable message actions can be used to inform users of company policy This feature was introduced in 7.1 SP3. This feature requires that the Microsoft .Net Framework is installed on client machines. There are four types of advanced feedback messag

This feature was introduced in 7.1 SP3. After using the Application Compatibility Testing action the Application Verifier Logs in Reports > Arellia > Application Control will show all events from the Microsoft Application Verifier. appcombat-logs.png Righ

The Application Actions folder contains all the operations that can be processed before a certain application can be run on a managed computer. Each action can be referenced by an Application Control policy and determines the environment in which the appl

The Application Actions folder contains all the operations that can be processed before a certain application can be run on a managed computer. Each action can be referenced by an Application Control policy and determines the environment in which the appl

Application Compatibility functionaly was first introduction in Application Control 7.1 SP3 When addressing application compatibility issues in preparation for a deployment of Windows® 7, among the most flexible and powerful tools available are applicatio

Application Compatibility Action applies the dynamic application of Microsoft Application Compatibility Shims to the target process. This feature was Introduced in version 7.1 SP3 This feature only functions on 6.X OS Versions (Vista, Windows 2008, Window

Performs Application Compatibility tests as to whether a program is deemed to require specific security rights, or is an Application Setup This feature was introduced in version 7.1 SP3 This feature only functions on 6.X OS Versions (Vista, Windows 2008,

Performs Standard User Analysis on the target process This feature was Introduced in version 7.1 SP3 This feature has no configurable properties and a single default instance is present The Application Compatibility Testing action leverages Microsoft LUA/

To locate these reports: Once you are in Arellia > Application Control select the Reports tab Select Application Control reports.PNG The report categories installed are: Report Type Included Reports ActiveX Control ActiveX Controls Computers with ActiveX

This policy lets you configure general parameters that control the behavior of the Application Control Agent. To access this page: Once you are in Arellia select the Configuration tab Select Settings > Agents/Plug-ins > Arellia > Application Control > App

Application Control Agent for Windows See Application Control Agent Configuration http://portal.arellia.com/wiki/display/ACS71DOC/Application+Control+Agent+Configuration Application Control Agent Uninstall http://portal.arellia.com/wiki/display/ACS71DOC/A

This page lets you create a package used by Application Control Agent installation policies as needed when performing an agent rollout or uninstallation. Generally, we recommend not changing any settings to this package. Navigate to Settings > Agents/Plug

This is a generic policy that can be used for several things, including agent rollout and uninstallation, and solution agent rollout, upgrade, and uninstallation. To access the rollout page: Once you are in Arellia > Application Control select the Configu

To access this page: Once you are in Arellia > Application Control select the Configuration tab Select Application Control Agent For Windows > Application Control Agent Uninstall Choose which agent you wish to uninstall Select Uninstall Application Contro

Creating an Application Control policy Application Control policies determine whether certain actions run before an end user can run an application. For example, a policy might deny an application the ability to execute or quarantine the application when

The policy wizard simplifies creation of common types of Application Control policies The Application Control Wizard was introduced in 7.1 SP1 The Application Control wizard is accessible via the Actions section in the top right of the Arellia Console Hom

The Software Management folder is shared with the Altiris® Patch Management Solution™ software, Altiris® Software Virtualization Solution™ software, and Altiris® Software Delivery Solution™ software. When Application Control Solution is installed, folders

An application filter defines the applications (groups of files) that can be restricted by an Application Control Policy. There are three types of filters - Dynamic, File and Inventory. They, along with their subtypes are listed below: Dynamic Filters -

See Gauges http://portal.arellia.com/wiki/display/ACS71DOC/Gauges Report Queries http://portal.arellia.com/wiki/display/ACS71DOC/Report+Queries Resource Discovery http://portal.arellia.com/wiki/display/ACS71DOC/Resource+Discovery Product licenses

This section describes the process involved in automatic document encryption. For this scenario you will create a policy to enforce document encryption for all Microsoft Excel Spreadsheets. Scenario description In this scenario, the end user has: Two user

Configuration Folder See Application Control Agent for Windows http://portal.arellia.com/wiki/display/ACS71DOC/Application+Control+Agent+for+Windows Arellia Infrastructure http://portal.arellia.com/wiki/display/ACS71DOC/Arellia+Infrastructure File Invent

By default Application Control Agent configuration options are not set to readily test configuration changes in a test environment. The following agent configuration allows for accelerated feedback when testing Use Cases. Configure the Application Control

This feature is only available with Arellia Application Control Agent version 7.1.1685.0 onwards. Open up your Advanced message dialog in the Arellia console. Under the Window Design section of the dialog make the following changes: 1. In the <Window> ele

Application Control policies determine whether certain actions run before an end user can run an application. For example, a policy might deny an application the ability to execute or quarantine the application when a user attempts to run the application.

To locate these actions: From the Arellia Console click Policies Select Policies > Arellia > Application Control > Actions a1.PNG Choose the action you want to create: To create an action related to any of the existing action types, in the left pane, righ

Application Control policies determine whether or not application actions are run before an end user can run an application. We recommend using the Application Control Policy wizard to create policies and to associate actions, filters, and target computer

To access the Application Filters, do the following steps: Once you are in Arellia > Application Control select the Policies tab Select Application Control > Filters f1.PNG To create an application filter: You can select from a variety of filters from thr

The Default File Inventory Policy discovers information about software programs running on managed computers. By default, this runs daily. To manually run the File Inventory Policy on a managed computer at any time, perform the following steps: Enable Pow

Issue Some reports when viewed in the Altiris console have a blank file name. The same reports viewed in the Arellia console show the correct file name. This occurs even after a full resource discovery has run successfully for the application in question.

Dynamic Filters are evaluted at runtime and are not tied to the particular application being run but by other factors Types of Dynamic Filters include: Application Context Filters - These filters are evaluated by the Altiris Agent and are used to apply se

Issue Standard users in Windows 7 can open the Add a Printer window from Devices and Printers, but after selecting a printer to install they get prompted by User Account Control (UAC) for Administrator credentials. Solution Elevate Standard Users to allow

Elevate the built-in Windows backup utility on Windows Vista and Windows 7 operating systems by doing the following steps: From the Home tab in the Arellia Security Manager console, on the upper right, click Create Application Control Policy. Select Eleva

Sets the Environment of a process to contain the specified Environment Variable. This feature was Introduced in version 7.1 SP3 Environment variable action Sets the Environment of a process to contain the specified Environment Variable. This action can be

Compares an Environment Variable of a process to a specified value This feature was introduced in version 7.1 SP3 Environment Variable Filter An Environment Variable Filter compares an environment variable of a process to a specified value. Standard Envir

This feature was Introduced in version 7.1 SP3 Event Summary and Acknowledgement provides the ability to review recent Application Control events, acknowledge them, and assign them to a policy. The Event Summary viewer is found under Application Control.

Tests file specifications and/or details contained with the Version Information resource Editing an excutable filter Enter a filter name and description. Enter a File name and File path in the fields provided. (Optional) Click Include subdirectories to fi

Executes another process and optionally wait on that process completion before the original process can execute. This feature was Introduced in version 7.1 SP3 Application Control Solution 7.1 SP3 adds the ability to execute another process and optionally

7.1 SP1 Feature Additions 7.1 SP2 Feature Additions 7.1 SP3 Feature Additions

File Filters target the actual executable that is being run, with numerous sub types targeting different aspects of executables Types of File Filters include: Application Compatibility Filters - New to ACS 7.1 SP3 these filters are used to detect administ

A file inventory filter defines the applications (groups of files) that can be restricted by a file control policy, and the applications (groups of files) that can be restricted by an Application Control Policy. To access file inventory filters: Once you

To locate these reports: Go to Arellia Security Manager and click on the Reports tab Select Reports > Arellia > File Inventory FI2.png The report categories installed are: Report Category Report Name Agent Information File Inventory Agent Installation S

File Owner Filters target the Security Principal that is listed as the File Owner on NTFS file systems This feature was introduced in 7.1 SP2. Editing a file owner filter You may select multiple Security Principals. If any of the Security Principals match

File scanning policies scan managed computers for application file types (Example: ITunes files within Windows directories) and reports back to the Notification Server. To create a file scanning policy: Once you are in Arellia select the Policies tab Sele

Select from the following Gauge choices: Gauge Categories Configuration Product Monitor System Health Vulnerabilities Gauge Queries Computers Guest Account Enabled Percentage of Systems with Guest Account Enabled Windows Patch Compliance By Computer Gaug

The Getting started tasks guide you through the basic setup, configuration, and use of Application Control Solution (ACS). You can use the Home page in the Symantec Management Console to access most tasks. The Symantec Management Console is the primary in

Application Control Solution 7.1 product documentation This is the product documentation for the current release of ACS. To find your way around, please use the left panel to browse the document tree or search. Or start at the beginning. If you are lookin

As of ACS 7.1 specific policies to bypass UAC is not required. Issue When running programs and some system configuration items, Windows Vista and Windows 7 with prompt the user to confirm and/or enter an administrator password. In many cases IT has deter

{index}{index}

Arellia 7 products are installed to the Symantec Management Platform via the Symantec Installation Manager. There is an Arellia product listing used to download and install Application Control Solution. Follow the steps in How to install Arellia version 7

The Application Control Agent is software that you can install on your managed computers. The agent lets Application Control Solution run policies, manage applications, and run defined actions. You can install the agent from the policies in the Applicatio

Introduction Application-level security attack, such as file system corruption, registry corruption, spyware, and keylogging, pose a serious threat to mission critical business operations. Arellia Application Control Solution™ software helps you manage th

Inventory Filters are evaluted at runtime and are used to apply Application Control policies for already discovered applications. Types of Inventory Filters include: File Parameter Collections - These filters use the inventory to create file scan results

This application reclaims Application Control licenses from managed computers with no Application Control agents installed. To access this section, go to Arellia Security Manager and click on the Configuration tab Select Settings > Arellia > Application C

Tests whether the application vendor has included a security manifest with the application, and optionally whether specific rights rights required are specified This feature was introduced in 7.1 SP3. The Mainfest Filter tests: whether the application ven

Manual Security Ratings are generally not used, but are included for backward compatibility with ACS 6.1. Typically combinations of Reference System whitelists, Package Contents whitelists and trust based Dynamic Filters are used instead of manual Securi

Manual Security Ratings are generally not used, but are included for backward compatibility with ACS 6.1. Typically combinations of Reference System whitelists, Package Contents whitelists and trust based Dynamic Filters are used instead of manual Securi

Applies current network connectivity tests using Windows Network Location Awareness This feature was introduced in 7.1 SP2 This feature only functions on 6.X OS Versions (Vista, Windows 2008, Windows 7) The Network Location Filter works with Windows Netwo

This feature was introduced in 7.1 SP3. This feature requires that the Microsoft .Net Framework is installed on client machines. No required input messages differ from the Advanced Feedback Message Actions because they do not require a justification to co

The Application Control Solution lifecycle is represented by the following graphic: life cycle.jpg File discovery After installing Application Control Solution, you must install the File Inventory Agent on managed computers. Installing the File Inventory

The following folders and items are used to create and manage applications: Application Actions http://portal.arellia.com/wiki/display/ACS71DOC/Application+Actions Application Control Policies http://portal.arellia.com/wiki/display/ACS71DOC/Application+Co

This feature was introduced in version 7.1 SP1 Policy priority management allows for easy visualization and adjustment of ordering of Application Control policies. It is located in Application Control > Policy Priority Management. ppm1.PNG The Policy Prio

This scenario shows you how to prevent the end user from running cmd.exe. Scenario description In this scenario: The end user has run C:\windows\system32\cmd.exe at least once since the Application Control Agent was installed. File Inventory Agent has ret

Scenario description In this scenario, the end user has the following installed: Microsoft Word Microsoft Excel Scenario resolution On the managed computer, create a Microsoft Word document and save it to c:\company invoices\invoice 101.doc Once you are i

This page displays the currently installed product licenses and allows you to add additional licenses. To access this page: Once you are in Arellia select the Home tab Select View/Install Licenses from the Actions window licenses1.PNG Alternatively to acc

This scenario shows you how to quarantine a known malicious application. Scenario description Copy and rename cmd.exe: "C:\Virus\malicious application.exe". Scenario resolution On the managed computer, create the Microsoft Word document C:\document\import

rq1.PNG

This section details the folders and items that Application Control Solution installs on the Reports tab. You can use or edit default reports, or create your own to help you analyze application control information. Reports are created for Application Cont

See Resource Discovery Agents http://portal.arellia.com/wiki/display/ACS71DOC/Resource+Discovery+Agents Server Discoverers http://portal.arellia.com/wiki/display/ACS71DOC/Server+Discoverers Resource Discovery Update http://portal.arellia.com/wiki/display

The Default Resource Discovery Agent Policy determines the frequency of scanning files for their resource information. Files are inventoried separately at run time or via the file inventory policy. For performance optimization, only file hashes and locati

This policy controls how often the File Inventory Agent inventories managed computers and reports back to the Notification Server. To access the Resource Discovery Agents: Once you are in Arellia select the Configuration tab Select Arellia > Infrastructur

The Resource Discovery Update page lets you configure the schedule for calculating what Notification Server Resources need additional client or server side discovery. The task enumerates all server and client side Resource Discoverers and either: For Serv

Resource purging The resource purging policy lets you perform a periodic database cleanup and remove any file and digital certificate resources that are no longer associated with any computers. By default, the schedule runs daily. To access and enable thi

This scenario describes the process involved in restricting an application's process rights. This sample scenario guides you through the necessary steps, using the default Limit Internet Explorer and Outlook process rights policy. Scenario description In

After the Application Control Agent has been installed, the solution performs an application inventory. This inventory is gathered by the Default File Inventory Policy and the Default File Discovery Policy. You might want to view a summary of all of the W

This scenario shows you how to capture application data in a Symantec Workspace Virtualization layer. Scenario description In this scenario, the end user has the following installed: Microsoft Word Scenario resolution On the managed computer, create the M

This feature was Introduced in version 7.1 SP3 Self-Elevation Self-Elevation was introduced in 7.1 SP3 as a way to enable the end user to request elevation to install or run applications. To enable Self-Elevation: Enable Self-Elevation in the Application

This feature was Introduced in version 7.1 SP3. Using the default Self-Elevation, applications are launched with administrator rights after a justification is given. The following steps will allow a user to request elevation, but not add administrator rig

To access the server discoverers page: Once you are in Arellia select the Configuration tab Select Arellia > Infrastructure > Resource Discovery > Server Discoverers sd1.PNG Select from the following Server Discoverer choices: Common Configuration Enumera

Save time by using the Application Control Policy Wizard http://portal.arellia.com/wiki/x/t4AgAQ Creating an Application Control Policy Create a new application control policy by right-clicking Policies and selecting New > Blank Application Control Policy

See Configuring for a Test Environment for tips on improving time lags for testing scenarios

Issue In Windows Vista/7 standard users are unable to install ActiveX plug-ins. For Windows XP Users, Arellia offers the following solution http://portal.arellia.com/wiki/display/KB/Controlling ActiveX objects http://portal.arellia.com/wiki/display/KB/Con

To access this folder: Once you are in Arellia select the Tasks tab tasks.PNG Arellia tasks Arellia tasks can be used to perform several tasks on the client and server systems. The following folders and items are used to manage applications: Client Tasks

To track all policies enforced by Application Control Solution, run the Application Actions by Computers report. Once you are in Arellia select the Reports tab Select Arellia > Application Control > Application Control Policy Enforcement Select Applicatio

ActiveX with Arellia For Windows Vista, Windows 7, Windows 8.x and Windows 10 machines, Arellia utilizes the ActiveX Installer Service. For Windows XP, Arellia uses it's own mechanisms to elevate ActiveX installations. Both types of machines can be manage

In this scenario you will create a reference system whitelist policy that targets a collection of computers, searches for Windows executables, then adds any Windows executables not currently in a security catalog to a whitelist. You will also add applicat

This scenario takes you through the process of creating an application control policy to inventory Software Delivery Packages and add them to a whitelist, marking them as safe to be used in your environment. Once the policy has been created, inventorying