Enable application control

To use application control, perform these basic steps:

  1. Turn on application control
  2. Verify application control is enabled
  3. Automatically enable application control on new computers

For an overview of the application control module, see Lock down software with application control.

Turn on application control

To roll out application control gradually, enable application control on one or a few computers at a time.

Before you start, verify that unwanted software is not currently installed. Enabling application control will add all currently installed software to the allow rules — even if it is insecure, or malware. If you are not sure what is installed, the safest approach is to make a clean install and then enable application control.
If a computer's software normally changes frequently (even without a maintenance window) — such as with development build servers — then don't use application control. (Alternatively, enable app control, but use the API in your DevOps build pipeline to enable maintenance mode during builds.) For details, see Reset application control after too much software change.

    Install Deep Security Agent 10.0 or later. Application control does not support agentless topologies.
  2. Remove software that you want to block, and install normal software if it's missing.
    For better performance with application control, use Deep Security anti-malware instead of Windows Defender. See Disable Windows Defender after installing Deep Security anti-malware on Windows Server 2016.
  3. Activate the agent. You might also need to activate the application control license.
  4. In Deep Security Manager, go to Computer or Policies editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)..
  5. Click Application Control > General.
  6. For Application Control State, select On or Inherited (On).
    If you want exactly the same ruleset to apply to many identical computers (even in the future), use shared rules created via API.
  7. If you want to automatically block all new or changed software until you make an allow or block rule, select Block unrecognized software until it is explicitly allowed.

    Some software, such as web hosting software, Microsoft Exchange, and Oracle PeopleSoft, can change its own files. In those cases, instead of a complete lockdown, select Allow unrecognized software until it is explicitly blocked so that the software's self-change isn't automatically blocked. Then manually add block rules for unwanted software if it is detected.
  8. If you created a ruleset that multiple computers will use via API, select the shared ruleset.
  9. Click Save.

    The next time that Deep Security Manager and the agent connect, it will enable the application control engine on the computer and either make local, initial allow rules based on currently installed software, or download a shared ruleset. Time required varies by:

    Application control begins tracking software changes immediately, but will not allow or block software until it has either a shared ruleset or initial local rules built from the inventory.
    In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays. If the ruleset download fails due to a proxy, and if either your agents require a proxy to access the relay or manager (including Deep Security as a Service), then you must either:

Verify application control is enabled

When application control is enabled and has finished its initial software inventory scan:

To verify that application control is working:

  1. Copy an executable to the computer or add execute permissions to a plain text file. Try to run the executable.
  2. Depending on your enforcement setting for unrecognized software, it should be either blocked or allowed. Once app control has built initial allow rules or downloaded a shared ruleset, if any change is detected, it should appear in the Actions tab, which you can use to create allow and block rules. Depending on your alert configuration, you will also see an alert if unrecognized software is detected, or if application control blocks software from launching. The event should persist until the software change no longer exists, or until the oldest data has been pruned from the database.

  3. Add an allow or block rule for your test software and then try again. This time, app control should apply your allow or block rule.
  4. If software is accidentally blocked because you've selected Block unrecognized software until it is explicitly allowed and the software isn't being recognized, the Reason column in app control event logs can help you to troubleshoot the cause.
  5. If you plan to add more computers in the future, continue with Automatically enable application control on new computers. If they will be identical, see Reuse shared allow and block rules on other computers.
  6. When you patch a computer, update a golden image, or push to production, remember to enable Maintenance Mode to add new or changed software to your ruleset — even if the computer uses a shared ruleset. (If you don't, a shared ruleset may allow the patch, but changes will still appear on Software Changes.) For details, see Allow software updates.

Automatically enable application control on new computers

  1. If you don’t yet have a policy that applies application control to multiple computers, follow the steps in Turn on application control, but configure it in the Policy editorClosedTo open the Policy editor, go to the Policies page and double-click the policy that you want to edit (or select the policy and click Details)., not Computer.
  2. In the Deep Security Manager, go to Administration > Event-Based Tasks.
  3. Either:

    • Select the row for an existing event-based task that triggers when new computers are detected and then click Properties
    • Click New to create a new task that triggers for either Agent-Initiated Activation or Computer Created.

  4. Click Assign Policy and select a policy where application control is enabled.

    The next time that Deep Security Manager and the agent connect, the agent will download the policy with its application control settings. If using a shared ruleset, the computer must also download the shared ruleset. Time required varies by:

    When applying the same policy to multiple computers, it will apply the same application control enforcement settings, but not the same ruleset unless you have selected a shared ruleset. This means that although the policy enables application control on many computers, by default, they will each generate their own local ruleset. Therefore you could accidentally allow an application on one computer, but block it on another computer. If you want software to be blocked or allowed in the same way on all computers, create and apply a shared ruleset.