This is new in Deep Security 10.
Initially, when a Deep Security Agent scans the computer's file system for installed software, the application control ruleset only contains this software inventory. (If you created a shared ruleset via API, you can review this inventory on Deep Security Manager.) Later, via Deep Security Manager, you might add:
- block rules to deny specific new software
- allow rules for new / updated software
so then the ruleset will contain more — not only the initial inventory.
To view the list of application control rulesets, go to Policies > Rules > Application Control Rulesets.
To view the application control ruleset, or to edit the individual allow / block rules in a ruleset, double-click the ruleset.
As you allow or block more software, more rules will be added to the application control ruleset.
Keep some older rules if you might downgrade the software, or if the shared ruleset is applied to a server farm where some computers haven't finished upgrading yet (and therefore some computers still need the older rules).
When the rules are not needed anymore, however, you can delete them to reduce the size of the ruleset. This improves performance by reducing RAM and CPU usage, and (for shared rulesets) reduces download time required when deploying a new computer. See Delete an individual application control rule.
Delete an application control ruleset
If an application control ruleset is not being used anymore, you can delete it.
To delete a ruleset, go to Policies > Rules > Application Control Rulesets, then click a ruleset to select it, and click Delete.
If you want to undo a rule that you created, go to Policies > Rules > Application Control Rulesets, double-click the ruleset that has the rule you want to delete, then click Delete.
If you want to de-authorize software, you will also delete the allow / block rule for the software. If you have selected Block unrecognized software until it is explicitly allowed for enforcement of unrecognized software, then you can delete all rules except the allow rules for your current software inventory. This will block all older, unpatched software versions that might have security vulnerabilities.
Because application control might need to evaluate all rules in the ruleset every time that a process tries to launch unrecognized software, you can reduce RAM and CPU usage and improve performance by keeping fewer rules.
If a software update is unstable, and you might need to downgrade, keep rules that allow rollback to the previous software version until you have completed testing.
To find the oldest rules, go to Policies > Rules > Application Control Rulesets, then click Columns. Select Date / Time (Last Change), click OK, and then click that column's header to sort by date.
If you delete a rule, application control will not recognize the software anymore. So if the software is installed again, it will appear again on the Actions tab.