Index

This space is to archive retired docs instead of deleting them so their history can be retained.

ActiveX installer actions are used only on Windows XP machines to enable standard users to install approved ActiveX applications in Internet Explorer. To create ActiveX installer action From the Arellia Security Manager Console go to the Policies tab. Nav

Adjusting process security allows a process to be protected from most tampering by users. For example, it can be used to restrict who can stop a process from the task manager. It is also recommended that all adjusting of process security is done in a test

Advanced Feedback Messages are used to collect justifications from the end user. These justifications can be for a request to run a program as an administrator or be a justification to run a program that has not been approved or denied yet. These justific

There are five types of advanced feedback messages that can be used as actions to Application Control Policies: Application Denied Message Action - This action will display a notification of denial to the user attempting to run a process controlled by a p

Verify testing logs after applying Application Compatibility Testing Action To verify application compatibility testing logs From the Arellia Security Manager Console go to the Reports tab. Navigate to Reports / Arellia / Application Control / Whitelist /

The Application Actions folder contains all the operations that can be processed before a certain application can be run on a managed computer. Each action can be referenced by an Application Control policy and determines the environment in which the appl

To analyze application compatibility: Test each application before doing a windows migration. Do the windows migration and then let users notify IT of problems with applications. Use Arellia Application Control Solution to identify applications with compa

"When addressing application compatibility issues in preparation for a deployment of Windows® 7, among the most flexible and powerful tools available are application compatibility fixes, or shims. However, most organizations do not leverage shims to the e

This folder is where all of the custom shims created from the Adjust Application Compatibility wizard are placed. You can also create new Application Compatibility Fix Actions. Application Compatibility Action applies the dynamic application of Microsoft

The application compatibility filter performs application compatibility tests as to whether a program is deemed to require specific security rights, or is an application setup. This feature only functions on Windows Vista, Windows 7, Windows 8, Windows 8.

Interactive users filters This filter is 99.9% of the time used as a conditional filter for an application control policy to limit the policy to only apply to interactive users. It's recommended to use this filter when you use a broad scoping application

Coloredline.jpg Application Control Solution Reports To locate these reports: From the Arellia Security Manager Console, go to the Reports tab. Navigate to Arellia / Application Control. reports.PNG The report categories installed are: Report Type and wha

This policy lets you configure general parameters that control the behavior of the Application Control Agent. To Configure Application Control Agent From the Arellia Security Manager Console go to the Configuration tab. Navigate to Settings / Agents/Plug-

Save time by using the Application Control policy wizard To View Standard Application Control Policies From the Arellia Security Management Console, go to the Policies tab. Navigate to Arellia / Application Control / Policies. Select New. A list of (stand

The Policy Wizard simplifies creation of common types of Application Control policies The Application Control Wizard is accessible via the Actions section in the top right of the Arellia Console Home page by selecting "Create Application Control Policy".

This chapter details the installation requirements and procedures for Application Control Solution. Prerequisites The following software must be installed before installing Application Control Solution on Notification Server: Altiris® Notification Server™

This illustrates everything that happens within the Application Control Solution lifecycle. ACS Overview.jpg File discovery After installing Application Control Solution, you must install the File Inventory Agent on managed computers. Installing the File

Application filters An application filter defines the applications (groups of files) that can be restricted by an Application Control Policy. There are three types of filters - Dynamic, File and Inventory. They, along with their subtypes are listed below

These actions are used to meter an applications use Symantec Endpoint Protection™. To meter application usage From the Arellia Security Manager Console, go to the Policies tab. Navigate to Policies / Arellia Solutions / Application Control / Actions. Righ

Coloredline.jpg

Coloredline.jpg Not implemented yet. Under construction.

Coloredline.jpg Under Construction! Checking Exact Membership enforces this provisioned group to only users that are specified under Group Membership. Selecting Include Primary user, (the user that is logs onto that machine the most becomes the primary us

Arellia Infrastructure Page See Gauges http://portal.arellia.com/wiki/display/ACS75DOC/Gauges Report Queries http://portal.arellia.com/wiki/display/ACS75DOC/Report+Queries Resource Discovery http://portal.arellia.com/wiki/display/ACS75DOC/Resource+Discove

This section describes the process involved in automatic document encryption. For this scenario you will create a policy to enforce document encryption for all Microsoft Excel Spreadsheets. Scenario description In this scenario, the end user has: Two user

Basic User Messages pop-up from the task bar. Basic messages don't require the end-user to do anything. Types of basic messages From the Arellia Security Manager Console, go to the Policies tab. Navigate to Policies / Arellia Solutions / Application Contr

The best practices addresses the best way of elevating privileges and whitelisting within Application Control Solution.

All of the commands under this folder are built-in and are used by the ACS Policy Wizard when it creates an elevation policy for certain system options. These filters are all partial matches that will elevate an application if that command is present. For

Compatibility Adjustment can be accomplished by right-clicking an application from the Event Viewer and Adjusting the Compatibility with an Application Compatibility Testing Action.

Coloredline.jpg

Configuration is necessary before rolling out agents because depending on what you configure, you will receive varying results. You are ready to configure Application Control after you have installed all server components but before you have rolled out t

Coloredline.jpg Not implemented yet. Under Construction.

Coloredline.jpg Using the User/Group Inventory Task From the AMS Console, go to the Tasks tab. Select Local Security Folder / User/Group Inventory Task. Missing step...Right-click, then what? Or Quick Run? Both? Running the User/Group Inventory Task popul

Coloredline.jpg

By default Application Control Agent configuration options are not set to readily test configuration changes in a test environment. The following agent configuration allows for accelerated feedback when testing Use Cases. Configure the Application Contro

Resources are the agents and servers running on your network. Before you can begin to apply policies, elevate or reduce privileges, you must discover all of the resources that you have to work with. Regardless of the Agent Discoverer, Arellia optimizes th

To create a new basic message, do the following steps: From the Arellia Security Manager Console, go to the Policies tab. Navigate to Policies / Arellia Solutions / Application Control / Actions / Messages. Right-click Basic and select New / Display User

Coloredline.jpg

Coloredline.jpg To first begin, create a new prov user and a new prov group. Resources/Provisioned Users, click New Provisioned User and fill in the details of the form. Click Save. Policies/Resources/Provisioned Group, click New, use and already provisio

Coloredline.jpg Cannot provision user account only (group is expected as a parameter). Under construction.

Coloredline.jpg

Coloredline.jpg

Application Control policies determine whether certain actions run before an end user can run an application. For example, a policy might deny an application the ability to execute or quarantine the application when a user attempts to run the application.

A list of simplified actions can be found below, a full list of actions can be found here: Application Actions Summary http://portal.arellia.com/wiki/x/LgC3. After creating or modifying an action, the action can then be used as an Action in an Application

Application Control policies determine whether or not application actions are run before an end user can run an application. We recommend using the Application Control Wizard to create policies and to associate actions, filters, and target computers. To A

To access the Application Filters, do the following steps: Once you are in Arellia > Application Control select the Policies tab. Select Application Control > Filters. f1.PNG To create an application filter, do the following steps: You can select from a v

Default File Inventory Policy page The Default File Inventory Policy discovers information about software programs running on managed computers. By default, this runs daily. To manually run the File Inventory Policy on a managed computer at any time, per

As the name suggests, these actions prevent applications from reading or writing (or both) to certain directories or to Microsoft Office Documents. To deny applications from access, do the following steps: From the Arellia Security Manager Console, go to

Coloredline.jpg

Coloredline.jpg

Coloredline.jpg From the Policies tab, go to Resources / Local Users. Find the Provisioned User Account on a remote machine. Right-click the Provisioned User and select Show Managed Password. This action displays the randomized password of the Provisioned

Dynamic Filters are evaluted at runtime and are not tied to the particular application being run but by other factors. Types of dynamic filters include: Application Context Filters - These filters are evaluated by the Altiris Agent and are used to apply s

As the name suggests, this action forces applications to use Microsoft encryption when saving a file. To encrypt application files, do the following steps: From the Arellia Security Manager console, go to the Policies tab. Navigate to Policies / Arellia S

The definition of an environment variable filter compares an environment variable of a process to a specified value. Most users will never create their own versions of Environment Variable Filters and will only use the two we have defined. Manual Applicat

An application gets caught by a policy and this action sets an environment variable that the application can use. Any application it spawns would have that same environment variable, from there additional application filters and policies could be used to

Event Summary and Acknowledgement enables you to do the following: Review recent Application Control events Acknowledge Application Control events Assign them to a policy To view the event summary, do the following steps: From the Arellia Security Manager

Tests file specifications and/or details contained with the Version Information resourceExecutable Filters are powerful because they are built on "and" logic and not "or" logic, meaning that parameters for any type of executable can be filtered (excluded

Executes another process and (optionally) wait on that process completion before the original process can execute. To Create Execute Application Action From Arellia Security Manager Console, go to the Policies tab. Navigate to Policies / Arellia Solutions

File filters target the actual executable that is being run, with numerous sub types targeting different aspects of executables. Types of File Filters include: Application Compatibility Filters - These filters are used to detect administrative privileges

There are three ways in Application Control Solution (ACS) for file hashes to be used as the program or process identification parameter: Reference System lists (see How to create a Whitelist from a Reference System) are hashes. Package Contents lists (se

File Inventory Agent For Windows See Default File Inventory Policy http://portal.arellia.com/wiki/display/ACS75DOC/Default+File+Inventory+Policy

A file inventory filter defines the applications (groups of files) that can be restricted by a file control policy, and the applications (groups of files) that can be restricted by an Application Control policy. There are five types of filters: Drive Typ

File Inventory Reports To locate these reports: Go to Arellia Security Manager and click on the Reports tab Select Reports > Arellia > File Inventory FI2.png The report categories installed are: Report Category Report Name Agent Information File Invento

File owner filters target the security principal that is listed as the file owner on NTFS file systems. To edit a file owner filter, select multiple security principals. If any of the security principals match the file owner on the file being tested then

File scanning policies scan managed computers for application file types (Example: ITunes files within Windows directories) and reports back to the Notification Server. To create a file scanning policy, do the following steps: Once you are in Arellia sele

Gauges page Select from the following Gauge choices: Gauge Categories Configuration Product Monitor System Health Vulnerabilities Gauge Queries Computers Guest Account Enabled Percentage of Systems with Guest Account Enabled Windows Patch Compliance By Co

Prerequisites for getting started tasks You must install the following software before you can use Application Control Solution: Arellia Management Server. Application Control Solution 7.5. See Agent installation. Getting started tasks Imagine that you ar

Application Control Solution 7.5 Product Documentation This is the product documentation for the current release of ACS. To find your way around, please use the left panel to browse the document tree or search. Or start at the beginning. If you are lookin

Determining which policy is applying to a process is useful when trying to diagnose whether or not a policy is being applied correctly. Below are steps for the Arellia Management Server and Symantec Management Agent using Arellia 7.5 Application Control A

{index}{index}

To correctly set up Application Control Solution (ACS), be sure to execute the following processes in order: Install ACS https://www.arellia.com/wiki/display/AMS/Install+Arellia+Products Configure ACS https://www.arellia.com/wiki/display/ACS75DOC/Config

Steps to install Arellia Application Control Solution on Arellia Management Server Complete the AMS Server Installation Navigate to http://localhost/AMS/Setup/ http://localhost/AMS/Setup/ Install Arellia Application Control Solution Install Arellia File I

The Application Control Agent is software that you can install on your managed computers. The agent lets Application Control Solution run policies, manage applications, and run defined actions. You can install the agent from the policies in the Applicati

Application-level security attack, such as file system corruption, registry corruption, spyware, and keylogging, pose a serious threat to mission critical business operations. Arellia Application Control Solution™ software helps you manage this risk by al

Inventory filters are evaluted at runtime and are used to apply Application Control policies for already discovered applications. Types of Inventory Filters include: File Parameter Collections - These filters use the inventory to create file scan results

This application reclaims Application Control licenses from managed computers with no Application Control agents installed. To access this section, go to Arellia Security Manager and click on the Configuration tab Select Settings > Arellia > Application C

Manifest filters test whether the application vendor has included a security manifest with the application, and (optionally) whether specific rights rights required are specified. The Manifest Filter tests the following: whether the application vendor has

Manual Security Ratings are generally not used, but are included for backward compatibility with ACS 6.1. Typically combinations of Reference System whitelists, Package Contents whitelists and trust based Dynamic Filters are used instead of manual Securi

Manual security ratings are generally not used, but are included for backward compatibility with ACS 6.1. Typically combinations of reference system whitelists, package contents whitelists and trust based dynamic filters are used instead of manual securit

Messages are the most common application action. There are two kinds of messages: Advanced and Basic. Advanced messages are the type that pop-up in the middle of the screen, requiring the user to justify access to a certain application or to warn the user

Applies current network connectivity tests using Windows Network Location Awareness The network location filter works with Windows Network Location Awareness to filter based on current Network Connectivity. Standard network location filters Name Descripti

No required input messages differ from the Advanced Feedback Message Actions because they do not require a justification to continue. The end-user only needs to acknowledge the displayed message. 1Coloredline.jpg This feature requires that the Microsoft .

Application Control Solution (ACS) Features & Functions This chapter covers the most common tasks when working with Application Control Solution. Creating Application Policies Creating application actions Creating application filters

Policy priority management allows for easy visualization and adjustment of ordering of Application Control policies. It is located in Application Control > Policy Priority Management. ppm1.PNG The Policy Priority Management tool also makes it easy for qui

Coloredline.jpg

This scenario shows you how to prevent the end user from running cmd.exe. Scenario description In this scenario: The end user has run C:\windows\system32\cmd.exe at least once since the Application Control Agent was installed. File Inventory Agent has ret

Scenario description In this scenario, the end user has the following installed: Microsoft Word Microsoft Excel Scenario resolution On the managed computer, create a Microsoft Word document and save it to c:\company invoices\invoice 101.doc. Once you are

The process rights action folder contains the actions to remove or add administrator rights. Removing administrator rights is used for applications such as web browsers to increase their locked down state for both administrators and standard users. Adding

Product Licenses This page displays the currently installed product licenses and allows you to add additional licenses. To access this page: Once you are in Arellia select the Home tab Select View/Install Licenses from the Actions window licenses1.PNG Alt

This scenario shows you how to quarantine a known malicious application. Scenario description Copy and rename cmd.exe: "C:\Virus\malicious application.exe". Scenario resolution On the managed computer, create the Microsoft Word document C:\document\import

Coloredline.jpg Automation policies not implemented. Under construction.

Coloredline.jpg Not implemented yet. Under construction.

Coloredline.jpg Under construction...Dividing into shorter tasks... Randomize Administrator Password Task From the Tasks tab, select the Local Security folder / Randomize Administrator Password. Right-click and select Run to run this task on multiple mac

Report Queries Page rq1.PNG

Resource Discovery Page See Resource Discovery Agents http://portal.arellia.com/wiki/display/ACS75DOC/Resource+Discovery+Agents Server Discoverers http://portal.arellia.com/wiki/display/ACS75DOC/Server+Discoverers Resource Discovery Update http://portal.

Default Resource Discovery Agent Policy The Default Resource Discovery Agent Policy determines the frequency of scanning files for their resource information. Files are inventoried separately at run time or via the file inventory policy. For performance o

Resource Discovery Agents page This policy controls how often the File Inventory Agent inventories managed computers and reports back to the Notification Server. To access the Resource Discovery Agents: Once you are in Arellia select the Configuration tab

Resource Discovery Update The Resource Discovery Update page lets you configure the schedule for calculating what Notification Server Resources need additional client or server side discovery. The task enumerates all server and client side Resource Discov

Resource Purging The Resource Purging policy lets you perform a periodic database cleanup and remove any file and digital certificate resources that are no longer associated with any computers. By default, the schedule runs daily. To access and enable thi

This scenario describes the process involved in restricting an application's process rights. This sample scenario guides you through the necessary steps, using the default Limit Internet Explorer and Outlook process rights policy. Scenario description In

Coloredline.jpg

Coloredline.jpg

Coloredline.jpg

Coloredline.jpg

Coloredline.jpg

Coloredline.jpg

Coloredline.jpg

Coloredline.jpg

After the Application Control Agent has been installed, the solution performs an application inventory. This inventory is gathered by the Default File Inventory Policy and the Default File Discovery Policy. You might want to view a summary of all of the W

This scenario shows you how to capture application data in a Symantec Workspace Virtualization (SWV) layer. Scenario description In this scenario, the end user has the following installed: Microsoft Word Scenario resolution On the managed computer, create

Coloredline.jpg

Secondary file filters are complicated to set up, but well worth it, if you understand how they work. This topic will attempt to explain how they work and give you a working example of how they can be used. MSI file example If you want to elevate msi file

User self-elevation occurs when mobile, remote, or power users need to run software that is usually run by Administrators only. Risks can occur when users are allowed to self-elevate and the option to allow self-elevation should be weighed carefully. The

Using the default self-elevation, applications are launched with administrator rights after a justification is given. The following steps will allow a user to request elevation, but not add administrator rights to the application. Right-click Justify Appl

Server Discoverers To access the Server Discoverers page: Once you are in Arellia select the Configuration tab Select Arellia > Infrastructure > Resource Discovery > Server Discoverers sd1.PNG Select from the following Server Discoverer choices: Common Co

These filters can be used in several of the following ways: A target for ACS policies A parameter to prevent spoofing Signed application filters use certificates as a parameter. They can use one or many certificates in a single signed application filter.

Issue In Windows Vista/7 standard users are unable to install ActiveX plug-ins. For Windows XP Users, Arellia offers the following solution http://portal.arellia.com/wiki/display/KB/Controlling ActiveX objects http://portal.arellia.com/wiki/display/KB/Con

Home

Time of Day Filters do exactly as the name suggests. For example, you can allow iTunes to run when it's not business hours by excluding normal business hours (9am to 5pm) on an Application Control Policy that targets iTunes (TM).

To track all policies enforced by Application Control Solution, run the Application Actions by Computers report. From the Arellia Security Management Console select the Reports tab. Navigate to Arellia / Application Control / Application Control Policy E

These filters take the following as parameters: Well-known users Built-in accounts Well-known groups Domain users A single user or group or numerous combinations of users/groups/well-knowns allow User Context Filters to limit the scope of Application Cont

Coloredline.jpg

In this scenario you will create a reference system whitelist policy that targets a collection of computers, searches for Windows executables, then adds any Windows executables not currently in a security catalog to a whitelist. You will also add applicat

This scenario takes you through the process of creating an application control policy to inventory software delivery packages and add them to a whitelist, marking them as safe to be used in your environment. Once the policy has been created, inventorying