Application Control 6.1 discrepancies in documentation

Owned by Anonymous
Last updated: Sept 23, 2015 by Max Pinion (Deactivated)
3 min read

Applies to

Application Control Solution

Question

The Application Control Solution 6.1 User Guide has some documentation that is from the 6.0 version that is no longer accurate.

What are the known corrections to these discrepancies?

Answer

Page 20:

Additional information on Reference Policies:

ACS 6.1 has a new feature that is automates the process of the whitelisting trusted and desired applications. This automation is accomplished through the new Reference System Whitelist and Package Contents Whitelist Polices. With a reference system, you get a inventory scan of the a targeted system to find all applications in that systems windows, system32, and Program Files (and its sub-folders) and place the collected files into a list used by that policy. The policy then targets the remaining ACS systems would use the policy's file list to act as a whitelist to allow execute (typically by putting in the policy as a "No Action" action with the no continue option thus allowing these applications to execute without any intervention by the ACS agent. Application will then be in this "whitelist" so long as that same application had been found on at least one of these reference systems. Package Contents Whitelist are similar only they get their file list from selected Notification Server packages. In most environments both policies can be used concurrently to help automate the "Whitelist" process. As reference systems are updated with new versions or with a new approved application, the whitelist is automatically updated with the new executables or updated versions of those executables (as new versions have an updated hash as well).

Page 22:

Stage 2 Processing

Designed to be used for "Catch All" policies, or another words the policy that is to be applicable for any application that did not was not applicable by the more targeted 1st stage policies. When a application is executed, the ACS service evaluates that process against each of the ACS policies one by one starting with the 1st Stage policies. 1st Stage policies first evaluate the application and then are re-evaluated to see if the parent process has an applicable action for its children processes. In most cases 1st Stage policies are configured to not continue evaluating policies so once an application is applicable to a 1st Stage policy, it will cease to evaluate any other ACS policies. Once both the new application and the parent process that owns that application have been evaluated through all 1st Stage policies and has not been applicable to any of the policies with a no continue, then the ACS service evaluates all of the 2nd Stage policies, again starting with the application itself and then checking the application's parent process. The 2nd Stage policies then becomes applicable by only applications that make it past all of the previous filters without ever being applicable and so are typically configured with an action that will either removed admin rights or a deny execution. It is also typical that these "Catch All" policies will use an exclusion filter like "Local System and Service Applications" to make sure that core OS applications don't get stopped due to a missed whitelist item.

Page 30:

Declassified should be Unclassified

Page 44:

Creating Policies

Step 2 should read "In the left pane, select Tasks > Security Management > Application Control > Windows > Application Control Tasks > Application Control Policies"
Step 3 should read "In the left pane, right-click Application Control Policies and select New > Blank Application Control Policy"

Page 45:

Creating Application Actions was not correctly updated from the 6.0 version.
As of Application Control 6.1, Actions have been broken down into groups of Application Action types. Only action types that can be configured allow the right-mouse option to create a new action of that type.

Examples:

  • Deny execute action (off the root of Application Actions folder) and cannot be cloned or new versions created from it because the action is simple, when applied the applicable applications are simply denied to be expected.
  • Encryption actions can have new versions created and can be cloned within this action type folder because the Encryption actions need to be configured with document file types.

Page 46:

Creating and Editing Application Filters

New filters must be created under either the Dynamic Filters or Inventory filters sub-folders. Dynamic filters are those that filter based on the properties of a running process. Inventory Filters are a collection of file resources that where inventory using File Inventory. Running processes are filtered against a list of hashes which are from all the files within the selected inventory filter collection.