Application Actions

The Application Actions folder contains all the operations that can be processed before a certain application can be run on a managed computer. Each action can be referenced by an Application Control policy and determines the environment in which the application will run or be restricted.

Note
We recommend using the Application Control Wizard to create policies and to associate actions, filters, and target computers.

To access the Application Actions:

In the Symantec Management Console, on the Home menu, click Arellia > Application Control
In the left pane, select Policies > Application Control > Application Actions

The default application actions are described in detail in the following table:

Action	Description
Active X Installer	The ActiveX installer action allows an application (Example: Internet Explorer) to automatically install ActiveX components at an elevated privilege level. ActiveX Components are reported by the File Inventory "Com Component Inventory" policy, which reports on downloaded ActiveX components.
Application Metering	The Application Metering action meters the usage of applications. It reports the usage according to application control agent "Send Events" configuration option. There are no configurable options for this action.
Deny File Access
Deny Read/ Write Access To Microsoft Office Documents	Deny read or write access to Microsoft* Office documents by selecting the appropriate check box. Filter the application by: File Path File Extensions Mime Types
Deny Write Access to Executable Files	Deny write access to common executable files. Filter the application by: File Path File Extensions Mime Types
Encrypt Application Files
Encrypt Common Application Documents	Encrypt an application's documents. Filter the application by: File Path File Extensions Mime Types
Encrypt Microsoft Office Documents	Encrypt Microsoft Office documents. Filter the application by: File Path File Extensions Mime Types
Messages
Deny Execute Message	Configure this message to appear when a user attempts to run a certain application. You can configure: Action name and description Title Body - Substitute the bracketed numbers for process, path, and process ID values if required. Icon type - Select Information, Warning, Error, Altiris, or Program. Display timeout - Enter the number of seconds you want the message displayed.
Deny Files Read and Write Access Message	Configure this message to appear when a user has read or write restrictions on a certain application. This message is configured the same as Deny Execute Message, above.
Limit Process Rights for New Applications Message	Configure this message to appear to the user informing them that an application has had its rights reduced. This message is configured the same as Deny Execute Message, above.
Quarantine Message	Configure this message to appear when you have quarantined an application. This message is configured the same as Default Deny Execute Message, above.
Remove Rights Message	Configure this message to appear when you have restricted a user's rights on an application. This message is configured the same as Default Deny Execute Message, above.
SVS Global Layer User Message	Configure this message to appear when a user opens an application placed into the global virtualization layer. This message is configured the same as Default Deny Execute Message, above.
SVS Isolation Layer User Message	Configure this message to appear when a user opens an application placed into the isolation virtualization layer. This message is configured the same as Default Deny Execute Message, above.
Windows Hooking Message	Configure this message to appear when you prevent an application from starting, as the software may attempt to perform a restricted operation. This message is configured the same as Deny Execute Message, above.
New Display User Message Action	Configure a new message to appear when a certain action is performed. This message is configured the same as Default Deny Execute Message, above. To create this, right-click Messages and select New > Display User Message
Process Rights
Add Administrative Rights	This action elevates the permissions and privileges held by a process security token. By default, each process a user launches inherits the user's security token. You can configure: Action name and description. Action Type - Elevate or Restrict rights. Elevate is enabled by default. Windows Privileges - Select Windows Privileges for this action. Built-in accounts - Select Built-in Accounts for this action. You can also select User or Domain Groups.Windows Vista Options Use user's unrestricted token - Use Windows Vista user's unrestricted token when elevating rights. Disallow changes to the process rights after applying changes - Prevent any changes to Windows Vista user's process rights after the action has been applied.
Remove Administrative Rights	This action is the same as Default Add Administrative Rights except Restrict is enabled by default.
Quarantine
File Quarantine	Create a quarantine path for applications. You can: Enter an action name and description. Choose to use the Application Control Agent Policy quarantine path. Enter your own quarantine path.To create a new File Quarantine, right-click on File Quarantine and select Clone.
SVS Layers
Application Control SVS Global Layer	Create an SVS Global layer that certain applications must run under. You can: Enter an action name and description. Enter a Layer Name. Select a Layer Type - Isolation or Application.
Application Control SVS Isolation Layer	Create an SVS Isolation layer that certain applications must run under. You can: Enter an action name and description. Enter a Layer Name. Select a Layer Type - Isolation or Application.To create a new SVS layer, right-click on SVS Layers and select New > Apply SVS Layer
Deny Execute	Prevent a managed computer from executing an application. Enter an action name and description in the appropriate fields.
Deny Windows Hooking	Prevent applications from hooking into Windows functions. Enter an action name and description in the appropriate fields.