Index

The ActiveX Installer action allows an application, such as Internet Explorer, to enable standard users to install approved ActiveX components. This behavior mimics the ActiveX installer service in Windows Vista, Windows 7 and Windows 8. The ActiveX Inst

Adjusting Process Security allows a process to be protected from most tampering by users. For example, adjusting process security can restrict who can stop a process from the task manager. We recommend that you adjust process security in a test environmen

You can create advanced pop-up messages that appear when users attempt to start an application that requires them to justify access to the application. Advanced messages can also be used to let users know that an application is being blocked or usage of t

After you have applied the Application Compatibility Testing Action, you can then verify the testing logs to see a list of applications that have compatibility issues. To verify Application Compatibility Testing Logs, do the following steps. In the Arelli

The Application Analysis folder includes the following built-in policies: Administrative Rights Required Detection Policy (Application Compatibility) - this policy detects applications that are deemed to require Administrative rights by Windows. Administr

Application Classification actions restrict applications from modifying certain items and will enforce standard Windows ACLs when the targeted application accesses restricted files, folders, registry keys, or services on a computer. (For details about how

When you migrate from Windows XP to Windows 7, you need to test whether the apps running on your network are compatible with the new OS, other applications, and device drivers. Arellia solutions can help you test whether applications will work with the ne

Some older programs might run poorly or not at all on a newer operating system. The Application Control Solution includes actions that can test whether applications in your environment are compatible with a new operating system, and can also apply compati

The Application Compatibility filter detects any administrative privileges that may be required. This feature only functions on 6.x OS versions: Vista, Windows 7, Windows 8, Server 2008, Server 2012. The Application Compatibility filter leverages Window

The Application Control Solution can enable you to analyze the compatibility of your applications with a new OS, other applications, and device drivers. To analyze application compatibility, do the following steps: Open the Arellia Security Manager Conso

Application Context filters apply security policies to applications in a user context. Interactive Users Filters Application Context filters are mostly applied to interactive users as a conditional filter for an application control policy. We recommend yo

Policies include actions that specify what will be done to identified applications when those applications are launched. Some policies have a default action built in. Following is a list of actions available in the Application Control Solution: Related Li

You can configure general parameters that control the behavior of the Application Control agent. To configure the Application Control agent, do the following steps: In the Arellia Security Manager Console, click the Configuration tab. In the file library

Policies include filters that identify applications to which actions are applied when those applications are launched. There are three types of filters: Dynamic Filters - These filters are used for specific purposes and users, such as interactive and non

Application Control policies determine if application actions can be run by particular end users before an application starts. Each policy contains filters and actions. Following is a list of policies available in the Application Control Solution: If you

Application Control policies determine whether certain actions will be taken, such as privilege elevation or denial, before end users can run an application. The easiest way to create Application Control policies is to use the Application Control Wizard,

Arellia provides the following data feeds for the ACS: Approval Request Reports - these reports show historical application control approval requests. Package Whitelisting - provides the ability to right-click on an Application Control policies folder a

The following diagram illustrates everything that happens within the Application Control Solution (ACS) lifecycle. ACS Overview.jpg File inventory After installing ACS, you must install the File Inventory Agent on managed computers. The File Inventory A

Application discovery is a process through which the applications installed and used on individual computers and networks are identified and collected. Application discovery is also used as a security measure to identify any unwanted or unverified applica

The Application Metering action measures application usage on endpoints. Application Metering.jpg

Application Control Solution can target applications based on where they were downloaded from (go to Download Source Filter https://www.arellia.com/wiki/display/acs8doc/Download+Source+Filter), which means that you can now allow standard users to install

In the following example we will show you how to automatically encrypt Microsoft Excel spreadsheets. In the Security Management Console, click the Policies tab. In the folder library in the left pane, navigate to Arellia > Application Control > Policies.

What's Covered Install the Data Feed Create a Resource Target Create a Reference System Whitelist Policy This document shows you how to automatically create a whitelist policy for your reference system that targets a collection of computers, searches fo

Basic User Messages pop up from the task bar and provide feedback to users that specific applications are being blocked or usage of the application is being logged. Basic messages don't require end users to do anything. Types of Basic Messages Deny Execut

What is Application Blacklisting? Application Blacklisting prevents unwanted applications from running in your environment. Arellia's Application Control Solution allows you to manage applications flexibly in a large, distributed client environment by put

A Commandline filter examines the commandline of a running application (excluding the primary executable) and applies a pattern match (for example, an exact, partial or regular expression). System Utility Arguments Filters All of the commands in the Comma

You must configure the Application Control Solution before you roll out agents, because depending on what you configure you will receive varying results.

You need to set Application Control agent configuration options to readily test configuration changes in a test environment. The agent configurations outlined in this document allow for accelerated feedback when testing Use Cases. Accelerated configuratio

Before you can apply policies, you must discover all of the resources (agents and servers) that you have to work with. Arellia optimizes the resource discovery process for both agents and servers. Arellia discovers agent file details once and then uses h

To create a new Basic Message Action, do the following steps: From the Arellia Security Manager Console, click the Policies tab. Navigate to Policies > Arellia Solutions > Application Control > Actions > Messages. Right-click Basic and click New > Display

Creating a whitelist policy for your reference system targets a collection of computers, searches for Windows executables, and then adds any Windows executables to a whitelist. You can create a reference system whitelist policy either automatically or man

For general information about Application Control Solution actions, go to Application Control Actions. To create Application Control actions, do the following steps: In the Arellia Security Manager Console, click the Policies tab. In the left pane, naviga

Although we recommend you use the Application Control Policy Wizard, you can also create new Application Control policies manually without using the Wizard. Click the links for each of the following methods for further information: Application Control Pol

Application Control policies determine whether certain actions run when an end user starts an application. For example, a policy might deny an application the ability to execute or quarantine the application when a user attempts to run it. The easiest way

To create an application filter, do the following steps: In the Security Manager Console click the Policies tab. In the file library in the left pane, navigate to Application Control > Filters. Right-click My Filters and click New and then click the type

As the name suggests, the Deny File Access action prevents applications from reading or writing (or both) to certain directories or to Microsoft Office Documents. You can choose from two actions: Deny Read/Write Access to Microsoft Office Documents - Thi

Deny Windows Hooking is an application action that limits specified applications from interacting in malicious ways with other applications. Related Links Restrict Malicious Applications Windows Hooks https://msdn.microsoft.com/en-us/library/windows/desk

Determining which policy is applied to a process is useful when diagnosing whether a policy is being applied correctly. To determine which policy is applied, do the following steps: Open the Arellia Agent Logs (for details, go to Viewing the Agent Logs h

To inventory all applications on a computer do the following steps: Navigate to Policies > Arellia Solutions > File Inventory > Policies. Right-click the Policies folder and select New > General Scheduled Client Task. EnableDefFile.jpg Click the Client

To discover all applications that require admin rights, do the following steps: In the Security Manager Console, click the Policies tab. In the file library in the left pane, click Policies > Arellia Solutions > Application Control > Policies > Applicatio

The Messages > Advanced action folder contains the following advanced feedback messages: Application Denied Message Action - This action will display a notification of denial to the user attempting to run a process controlled by a policy. Application De

Introduced in Arellia 8.0 Arellia Application Control Solution can target applications based on where they were downloaded from, targeting exact URLs or an entire domain. adobe download source.PNG Arellia recommends adding filters to ensure that a file d

Drive Type filters are used to detect applications being started from a network drive, optical drive, or removable drive. The Drive Type folder includes the following types of built-in filters: Network Drive Filter - Specifies files present on network fi

Dynamic filters are used for specific types of purposes and users, such as Interactive and Non-interactive Users, and they evaluate the context around when applications are run. Dynamic Filters are evaluted at runtime and are not tied to the particular ap

The Encrypt Application Files action forces applications to use Microsoft encryption when saving a file. Types of Encrypt Application Files Actions Encrypt Common Application Documents - This action can be used to automatically encrypt common application

An Environment Variable Filter compares an environment variable of a process to a specified value. Use the Environment Variable filter for compatibility testing and user-requested elevation. Most users will use only the two built-in Environment Variable f

The Environment Variable action sets an environment variable of a process which could change the behavior of an application, or be caught by an Environment Variable filter in another policy. After you create a new Environment Variable action you can confi

Event Summary and Acknowledgement enables you to do the following tasks: Review recent Application Control events Acknowledge Application Control events Assign them to a policy Acknowledge an Event To acknowledge an event, do the following steps: From the

You can use Executable filters to apply security policies to commonly used applications, such as instant messaging applications, browsers, mail clients, media players and Microsoft Office Suite applications. Executable Filters are powerful because they ar

You can use executable headers to apply executable filters by type based on executable header attributes. The Executable Headers folder contains the following built-in filters: 32-bit Executables All Executable types Commandline Executables Dll Exec

The Execute Application action executes another application and (optionally) waits on that process completion before the original process can execute. ExecuteApp-NewAction.jpg

These filters are collections of files from file inventory and software delivery package scans.

The File Discovery filters are a collection of four filters that identify executables discovered by File Inventory on your managed computers for a specified amount of time. These collections cannot be edited. last_two_weeks.jpg

The File Existence filter will check for the existence of a file at a defined path on the managed computer.

File filters target the actual executable that is being run, with numerous sub-types targeting different aspects of executables. Types of File Filters Application Compatibility Filters - These filters are used to detect administrative privileges that may

This document shows you how to view reports of the Win32 Executable files in your environment, and on a specific computer. View the Win32 Executable files in your environment To view the Win32 Executable files in your environment, do the following steps:

You can use File Owner filters to specify if an application will be launched based on the File Owner listed on NTFS file systems. You can select multiple Security Principals when you create a new File Owner filter, as shown in the following screenshot. F

File scanning policies scan managed computers for application file types (for example, iTunes files within Windows directories) and reports back to the Notification Server. To create a file scanning policy: Once you are in Arellia select the Policies tab

The File Specifications filter identifies a particular file by file name and path based on the location of that file, and can be used to target a broad range of applications based upon the attributes defined. You can add other filters to this filter to ta

The File Type filter, ISO File Type filter, defines file extensions or MIME types to target.

Application Control Solution 8.0 Product Documentation This is the product documentation for the current release of Application Control Solution. To find your way around, please use the left panel to browse the document tree, go to the Table of Contents h

{index}{index}

To correctly set up Application Control Solution (ACS), be sure to execute the following processes in order: Install ACS https://www.arellia.com/wiki/display/AMS/Install+Arellia+Products Configure ACS https://www.arellia.com/wiki/display/acs8doc/Configu

The Internet Zone filter detects if files were downloaded from the Internet or from what particular zone on the Internet (such as a trusted web site, intranet, or Internet).

Application-level security attacks, such as file system corruption, registry corruption, spyware, and keylogging pose a serious threat to mission critical business operations. Arellia Application Control Solution™ (ACS) software helps you manage this risk

Inventory Filters are evaluted at runtime and are used to apply Application Control policies for already discovered applications. Types of Inventory Filters File Parameter Collections - These filters use the inventory to create file scan results, package

Manifest Filters test whether the application vendor has included a security manifest with the application, and whether any specific rights required are specified. Requested Execution Level choices include: None Specified - No security claims are present.

Manual Security Ratings are generally not used, but are included for backward compatibility with Application Control Solution v6.1. Typically combinations of Reference System whitelists, Package Contents whitelists and trust based Dynamic Filters are used

What's Covered Create a Resource Target Create a File Scan Policy Create a File Parameter Selection Create a Whitelist Policy This document shows you how to create a whitelist policy for your reference system that targets a collection of computers, sear

This feature was introduced in Arellia 8.0 SP1 and requires the 8.0 SP1 Arellia Application Control Agent to be installed on the clients. Arellia Advanced User Messages can be customized to show localized text. Locale Example The default text for the req

Messages are the most common application action. There are two kinds of messages: Basic and Advanced. Basic messages appear as smaller pop-ups directly form the Taskbar area. Advanced messages are the type that pop up in the middle of the screen, requirin

You can use the My Actions folder to store the actions you create. For example, if you right-click the Environment Variable folder to create a new Environment Variable. . . right_click_EV_folder.jpg . . .then you can drag the action to the My Actions fold

You can use the My Filters folder to store the filters you create. For example, if you right-click the File Types folder to create a new File Specification Filter. . . choose_filters.jpg . . .then you can drag the filter to the My Filters folder. drag_new

The Network Location filter identifies what network a computer is attached to. The Network Location Filter works with Windows Network Location Awareness to filter based on current network connectivity. The Standard Network Location folder includes the fol

What is Application Orangelisting? Application orangelisting allows potentially trusted applications to run securely in your environment. Orangelisting is a dynamic method of managing applications that might not be included on a whitelist or blacklist. Ar

Policies are sets of criteria or operations that are applied to resources; policies typically reside in the Policies Tab of the Security Manager Console. (For more information about policies, go to Policies.) Application Control policies determine if app

Policy Priority Management Policy Priority Management allows for easy visualization and adjustment of ordering of Application Control policies. It is located in Application Control > Policy Priority Management ppm1.PNG The Policy Priority Management tool

To prevent read and write access, do the following steps: On the managed computer, create a Microsoft Word document and save it to c:\company invoices\invoice 101.doc. In the Security Manager Console, click the Policies tab. In the file library in the lef

Previous Arellia Application Control documentation can be found here: Application Control Solution 7.5 Application Control Solution 7.1 Application Control Solution 7.0 Application Control Solution 6.x

When a user logged in as a standard user tries to install a program, typically a User Account Control (UAC) prompt will appear requiring administrator-level permission to install. Application Control Solution eliminates need for UAC prompts or admin crede

The Privilege Management folder includes the following built-in policies: Limit Internet Browser and Mail Clients Process Rights - This policy implements the fundamental security principle of least privilege by restricting the process rights for standard

Privilege reduction is the opposite of Privilege Elevation: you lock down specific applications so that they don't allow administrator rights or access to certain browser functions.

Process hardening means enhancing your system's security by locking down Arellia and disabling unnecessary services. Remove Advanced Privileges for Interactive Users is a demonstration policy that shows how you can remove privileges from Administrators an

The Process Rights action folder contains the actions to remove or add administrator rights. You can remove administrator rights for applications such as web browsers to increase their locked down state for both administrators and standard users. The ava

Application Control Solution can deny certain processes access to internet-protected resources such as files, folders, domain resources, and spawning additional applications. Introduced in Arellia 8.0 First decide what application(s) you'd like to classi

The Quarantine action isolates infected files in a protected directory so they can no longer infect the hosting system. You can define a quarantine path in the Security Manager Console under either the Policies tab or the Configuration tab. To define a qu

Arellia provides numerous out of the box reports to help customers quickly understand the state of their environment. Event Summary The event summary view is the easiest to quickly determine what actions/policies are being applied and what applications ar

Arellia Application Control Solution can enable end users to request elevation and then have that request approved or denied by the help desk. Arellia can approve or deny requests via the Arellia Management Server (AMS), or forward requests to a third-par

This scenario describes the process involved in restricting an application's process rights, and guides you through the necessary steps using the default Limit Internet Explorer and Outlook process rights policy. Internet Explorer inherits administrative

Arellia can prevent key loggers and other malicious applications from hooking into windows. To restrict malicious applications, do the following steps: Right-click on a policies folder and select New > Prevent Windows Hooking image2015-4-22 16:35:6.png

After you have installed the Application Control agent, the Application Control Solution performs an application inventory. You might want to view a summary of all of the Win32 executable files that were discovered to plan your Application Control strate

This document shows you how to capture application data in a Symantec Workspace Virtualization layer. In the following example, the end user has installed Symantec Workspace Virtualization and Microsoft Word. To run an application in a Workspace Virtuali

A Secondary File filter addresses situations where the intended target is not the primary executable file, such as RunDll.exe, but is rather a secondary file specified within the command line. This document gives you a working example of how to use Secon

You can use these filters to target executables found in security catalogs. The built-in filter targets the Signed Security Catalog (C:\Windows\System32\catroot\) and is typically used to automatically whitelist applications from Microsoft.

User self-elevation occurs when mobile, remote, or power users need to run software that is usually run by only users with administrator-level permission. Risks can occur when users are allowed to self-elevate, so you should weigh carefully the decision w

Using the default self-elevation users can give justification and launch applications with administrator rights (for details, go to Self-Elevation). The following steps allow users to request elevation, but not to add administrator rights to the applicati

Applications that run from a shared location can be automatically elevated. To do this, do the following steps: In the Arellia Security Manager, click the Home tab. Under Actions, click the Create Application Control Policy button. In the Application Cont

How Signed Application Filters Can Be Used These filters can be used in several of the following ways: A target for ACS policies A parameter to prevent spoofing Signed Application filters identify applications based on their digital certificates. They can

Problem: In Windows Vista and Windows 7, standard users are unable to install ActiveX plug-ins. For Windows XP users, Arellia offers the following solution: Controlling ActiveX objects. Solution: The following steps will enable ActiveX to be run and insta

Home

You can create a filter to allow certain applications to run during only certain hours. For example, you can allow iTunes to run only outside business hours by excluding normal business hours (9am to 5pm) on an Application Control Policy that targets iTun

To track all policies enforced by the Application Control Solution, run the Application Actions by Computers report. Any Arellia Application Control Policy can send feedback about an event back to the server. To configure a policy to send feedback, check

Determine if the Policy is Applied https://www.arellia.com/wiki/display/acs8doc/Determine+if+the+Policy+is+Applied?src=contextnavpagetreemode Standard Windows 7 Users Unable to Install ActiveX https://www.arellia.com/wiki/display/acs8doc/Standard+Window

When users attempt to start restricted applications they will receive a User Account Control (UAC) prompt for credentials. You can use Application Control Solution to create custom messages requiring users to provide a reason why they need administrator r

User Context filters identify applications based on the group memberships of the users. These filters use the following parameters: Well-known users Built-in accounts Well-known groups Domain users A single user or group, or numerous combinations of

Organizational Unit filters can be used in Arellia Application Control policies the same way User Context filters are used (for details about User Context filters, go to User Context Filters). The filter uses the following parameters: The organizational u

Arellia can connect and scan software delivery packages for applications to whitelist using the Arellia Application Control Solution. You can scan software delivery packages on one of the following systems: LANDesk Management Server Microsoft SCCM Symant

Application whitelisting is a computer administration practice used to define what applications are trusted and allowed to run. This technique is often used hand-in-hand with application orangelisting and blacklisting which targets the unknown, unwanted,

The Whitelisting folder includes the following built-in policies: Allow Manual Security Rated Whitelist Execution - This policy allows applications in the All Whitelist Security Rated Applications filter to run. Allow Microsoft Installer Policy - This pol

Application whitelisting is a computer administration practice used to define what applications are trusted and allowed to run. This technique is often used hand-in-hand with application orangelisting and blacklisting which targets the unknown, unwanted,

By default Arellia events only send the file hash of the file and not the file name, path, internal file details, or signature. The additional information is collected by Arellia's resource discovery and file inventory processes. To collect and show the

The WMI filter contains a WMI Query that executes when the policy is evaluated. The query results can then be cached for a period of time. WMI.jpg

You can apply this action to applications to dynamically run in a Symantec Workspace Virtualization layer. Included in the Workspace Virtualization Layers folder are the following actions: Workspace Virtualization Global Layer - This action places specifi