Blacklisting best practices

What's covered 

Blacklist specific applications

Ensure policies do not affect system or service applications

Catch-all blacklist

 

Arellia Application Control Solution (ACS) controls any application on a machine. When you configure ACS correctly, targeted applications can be elevated, whitelisted, or blacklisted. But if you create new policies without careful consideration then you can potentially block core system processes.

When you install ACS, a blacklist policy is enabled by default that targets "All Blacklist Security Rated Applications." However, this default policy does not contain any applications until you add them, so you can leave it enabled without any effect on the environment.

Before you create new polices, keep in mind the following best practices:

  • Do not enable policies until after you have configured them. As a safety precaution, all newly-created application control policies are turned off until you enable them.

    Important

    New policies that you create will automatically target all applications until you add application filters that will narrow the scope.

  • Additionally, Arellia highly recommends testing all policies on a limited number of machines before they are deployed to the entire environment. See Best practices for Application Control Solution policies for more information.

Blacklist specific applications

To create a new policy that blacklists specific applications, do the following steps:

  1. In the Security Manager console, click the Policy tab.
  2. In the file library in the left pane, navigate to Application Control > Policies
  3. Right-click the Policies folder and click New > Deny Application Execution Policy.
     
  4. Enter a name and description, and then click OK.

     
     
  5. In the Applications to Control tab next to Applications, add the application filters that you want to add to the blacklist.

Blacklist policies will target specific applications unless the policies are being used in conjunction with whitelist policies (see the following for those policies). Be sure to test the new policy on a few machines before you roll it out to the environment.

Ensure policies do not affect system or service applications

To ensure blacklist policies do not affect system or service applications, do the following steps:

  1. In the Security Manager Console click the Policies tab.
  2. In the file library in the left pane, navigate to Policies > Arellia Solutions > Application Control > Policies and then click your blacklisting policy.
  3. In the right pane under Settings, click the Policy Enforcement tab.
  4. Make sure to clear the Applies to all processes check box.


Disabling the Applies to all processes setting will force this policy to apply to only applications launched by the interactive user.

Catch-all blacklist

A catch-all blacklist is the last policy executed following the execution of a group of whitelist policies. This enables you to configure your whitelist to allow approved applications, like the Windows directory or other installed applications, and then to deny everything else, like applications downloaded from the internet or a thumb drive.

To create a catch-all blacklist policy, do the following steps:

  1. In the file library in the left pane, navigate to Policies > Arellia Solutions > Application Control > Policies.
  2. Right-click Policies and click New > Deny Application Execution Policy.
     
  3. In the Create Item dialog box, give the policy and Name and Description
  4. Click OK.

     
     
  5. In the right pane under the Applications to Control tab, do not select any applications to control.
  6. Under Conditions > Exclude any, select system and services applications.
  7. Click the Policy Enforcement tab.
  8. Set the Policy priority to 99.
  9. Select the Stage 2 processing check box.

If you are creating a new catch-all policy to be used in conjunction with whitelist policies, please verify that the whitelist is catching all system applications and that the new blacklist is the last policy executed. For additional safety you can define the exclude any parameter to exclude system and service applications.