Application actions summary
The Application Actions folder contains all the operations that can be processed before a certain application can be run on a managed computer. Each action can be referenced by an Application Control policy and determines the environment in which the application will run or be restricted.
Use the Application Control Wizard to create policies and to associate actions, filters and target computers.
Access application actions
To access application actions, do the following steps:
- From the Arellia Security Manager Console, go to the Policies tab.
- Navigate to Policies / Arellia Solutions / Application Control / Actions. Every available Action within Application Control is displayed.
The default application actions are described in detail in the following table:
Action | Description |
---|---|
Active X Installer | The ActiveX installer action allows an application (Example: Internet Explorer) to automatically install ActiveX components at an elevated privilege level. ActiveX Components are reported by the File Inventory "Com Component Inventory" policy, which reports on downloaded ActiveX components. |
Application Metering | The Application Metering action meters the usage of applications. It reports the usage according to application control agent "Send Events" configuration option. There are no configurable options for this action. |
Deny File Access | Â |
Deny Read/ Write Access To Microsoft Office Document Files | Deny read or write access to Microsoft* Office documents by selecting the appropriate check box. Filter the application by:
|
Deny Write Access to Executable Files | Deny write access to common executable files. Filter the application by:
|
Encrypt Application Files | Â |
Encrypt Common Application Documents | Encrypt an application's documents. Filter the application by:
|
Encrypt Microsoft Office Documents | Encrypt Microsoft Office documents. Filter the application by:
|
Environment Variables | This action will set a specified environment variable with a specific value |
Execute Application | This action will execute a specific application with commands |
Messages | Â |
Advanced | New to SP3 |
Application Denied Message | This action will deny an application from being run and display a dialog window that explains why this application is denied along with a link to the Company's policy page. |
Application Warning Message | This action will allow an application to run after displaying a dialog window that warns the user that this application has not been approved yet. |
Justify Application Elevation Message | This action will cause a dialog window appear after a user requests to run a program as an administrator, they will then need to justify why they need admin rights for that application. This justification will then appear in reports on the Notification Server. |
Justify Application Message | This action will allow an application to run after displaying a dialog window that has the user justify why they need to run this application. This justification will then appear in reports on the Notification Server. |
Basic | Â |
Deny Execute Message | Configure this message to appear when a user attempts to run a certain application. You can configure:
|
Deny Files Read and Write Access Message | Configure this message to appear when a user has read or write restrictions on a certain application. You can configure:
|
Limit Process Rights for New Applications Message | Configure this message to appear to the user informing them that an application has had its rights reduced. This message is configured the same as Default Deny Execute Message, above. |
Quarantine Message | Configure this message to appear when you have quarantined an application. This message is configured the same as Default Deny Execute Message, above. |
Remove Rights Message | Configure this message to appear when you have restricted a user's rights on an application. This message is configured the same as Default Deny Execute Message, above. |
SVS Global Layer User Message | Configure this message to appear when a user opens an application placed into the global virtualization layer. This message is configured the same as Default Deny Execute Message, above. |
SVS Isolation Layer User Message | Configure this message to appear when a user opens an application placed into the isolation virtualization layer. This message is configured the same as Default Deny Execute Message, above. |
Windows Hooking Message | Configure this message to appear when you prevent an application from starting, as the software may attempt to perform a restricted operation. You can configure:
|
New Display user Message Action | Configure a new message to appear when a certain action is performed. This message is configured the same as Default Deny Execute Message, above.
|
My Actions | This action folder can be used to store actions that are created by you. |
Process Rights | Â |
Add Administrative Rights | This action elevates the permissions and privileges held by a process security token. By default, each process a user launches inherits the user's security token. You can configure:
|
Remove Administrative Rights | This action is the same as Default Add Administrative Rights except Restrict is enabled by default. |
Process Security | New to SP3 |
Locked down Service Process Security Descriptor | This action is used to lock a process down according to a Security Descriptor when the process is started. |
Quarantine | Â |
File Quarantine | Create a quarantine path for applications. You can:
|
New File Quarantine | To create a new quarantine path for applications:
|
Workspace Visualization Layers | Â |
Application Control SVS Global Layer | Create an SVS layer that certain applications must run under. You can:
|
Application Control SVS Isolation Layer | Create an SVS layer that certain applications must run under. You can:
|
New Apply SVS Layer Action | To create a new SVS layer that certain applications must run under:
|
Deny Execute | Prevent a managed computer from executing an application. Enter an action name and description in the appropriate fields. |
Deny Windows Hooking | Prevent applications from hooking into Windows functions. Enter an action name and description in the appropriate fields. |