View your application control rulesets

This is new in Deep Security 10.

Initially, when a Deep Security Agent scans the computer's file system for installed software, the application control ruleset only contains this software inventory. (If you created a shared ruleset via API, you can review this inventory on Deep Security Manager.) Later, via Deep Security Manager, you might add:

  • block rules to deny specific new software
  • allow rules for new or updated software

so then the ruleset will contain more — not only the initial inventory.

To view the list of application control rulesets, go to Policies > Rules > Application Control Rulesets.

application control rulesets

To view the application control ruleset, or to edit the individual allow and block rules in a ruleset, double-click the ruleset.

"Local" rulesets store the inventory part of the ruleset locally on each computer. This includes inventory additions during maintenance mode. Agents don't transmit inventory to the remote Deep Security Manager, so it has better performance compared to "shared" rulesets, which transmit everything. However, since Deep Security Manager doesn't get local inventory data, it can't display a complete local ruleset — only the allow and block rules that you have added from the manager.

As you allow or block more software, more rules will be added to the application control ruleset.

Keep some older rules if you might downgrade the software, or if the shared ruleset is applied to a server farm where some computers haven't finished upgrading yet (and therefore some computers still need the older rules).

When the rules are not needed anymore, however, you can delete them to reduce the size of the ruleset. This improves performance by reducing RAM and CPU usage, and (for shared rulesets) reduces download time required when deploying a new computer. See Delete an individual application control rule.

Delete an application control ruleset

If an application control ruleset is not being used anymore, you can delete it.

If you delete an application control ruleset, this reclaims disk space. This can be especially useful to reduce system resource usage on Deep Security Relays that may be distributing multiple large shared rulesets.

To delete a ruleset, go to Policies > Rules > Application Control Rulesets, then click a ruleset to select it, and click Delete.

Delete an individual application control rule

If you want to undo a rule that you created, go to Policies > Rules > Application Control Rulesets, double-click the ruleset that has the rule you want to delete, then click Delete.

If you want to de-authorize software, you will also delete the allow or block rule for the software. If you have selected Block unrecognized software until it is explicitly allowed for enforcement of unrecognized software, then you can delete all rules except the allow rules for your current software inventory. This will block all older, unpatched software versions that might have security vulnerabilities.

Because application control might need to evaluate all rules in the ruleset every time that a process tries to launch unrecognized software, you can reduce RAM and CPU usage and improve performance by keeping fewer rules.

If a software update is unstable, and you might need to downgrade, keep rules that allow rollback to the previous software version until you have completed testing.

To find the oldest rules, go to Policies > Rules > Application Control Rulesets, then click Columns. Select Date/Time (Last Change), click OK, and then click that column's header to sort by date.

If you delete a rule, application control will not recognize the software anymore. So if the software is installed again, it will appear again on the Actions tab.