Undo blocking and allowing software

Rebuilding the rules based on currently installed software will delete all existing rules—even the ones that you don't want to undo. So instead, usually you should either:

 

Depending on whether a ruleset is local (applies to one computer) or shared (applies to many computers), when you change a rule, it might affect many computers. However, each rule is a specific combination: hash, file name, path, and file size. So if a file has many different file names and hashes, then you may need to edit the action in many rules.

If you need to undo a complex change like this, or if you need to undo changes made by a specific person, it may be faster use the decision log (see Undo many new rules and rule changes in application control) instead of editing individual rules.

Change the action of one application control rule

If you want to allow a software that you previously blocked (or the opposite), you can edit the action in the rule. If the software has the same file name and file size regardless of where it is installed, then you can easily edit the actions for similar rules.

If you need to undo the rule so that the software is not recognized by application control (in other words, delete the rule, not only change its action), see Delete an individual application control rule instead.

  1. Go to Policies > Common Objects > Rules > Application Control Rulesets.
  2. Double-click to select the ruleset that contains the rule that you want to change.

    If you don't know where the rule is, but you remember when or how you changed it before, you can use the decision log to find the related ruleset.
  3. On the pop-up window that appears, go to the Rules tab.
  4. If you want to focus on software that was blocked (or allowed), then in the dropdown menu near the top of the page, select By Action or By Path to group similar rules. Alternatively, you can use the search to filter the list.

    If you want to change the action for a software file, but it has multiple different file names or paths, select By File Name or By Path to group related rules.

    application control rules actions

  5. Find the row for the specific software that you want to allow or block.
  6. In the Action column, change the setting to allow or block, then click OK.

    The next time that the agent connects with Deep Security Manager, the rule will be updated, and the version number will increase. Time required varies by:

Undo many new rules and rule changes in application control

Allowing or blocking software can result in a complex transaction that creates many new rules, possibly on many computers, each with different rulesets.

When you allow or block software from the Actions tab, and you haven't done anything else yet, feedback such as "Blocked 24 files" appears at the bottom of the page. If you haven't done anything else yet, you can undo that action by clicking Undo.

undo application control

If you've performed other actions since then, the Undo button disappears or changes to reflect your newest allow or block rule change. You could still undo previous changes by using the ruleset editor to delete individual rules or changing their actions. But if you need to:

  • undo many rules and ruleset changes
  • undo multiple actions
  • undo another administrator's changes
  • know more (such as who made the changes, or when)
you can save time and get more information by using the decision log.

  1. Go to Events & Reports > Events > Application Control Events > Decision Logs.
  2. If you want to focus only on software that was accidentally blocked (or allowed), then in the dropdown menu near the top of the page, select By Operation to group rules with identical actions. Alternatively, you can use the search to filter the list.

    You can also search for rules changed by a specific administrator account, or during a specific time period.

  3. Find the row for the changes that you want to undo.

    If the File Name column contains Multiple, to see which files the change affected, click the Preview icon.

    application control undo

    If the operation was Allow All or Block All, many paths and computers might be affected.
    If the Status is Lapsed, the configuration was later changed. Because the earlier decision is not being applied now, you don't need to undo the lapsed decision.
  4. Click Undo.

    You can't undo an undo transaction in the decision log. If you change your mind later, instead recreate the change in the Actions tab or ruleset editor.

    The Status column will change to Undone, and if you click the Preview icon, it will display a message indicating that "The changes for this decision have already been reverted." The next time that the agent connects with Deep Security Manager, the rule will be updated, and the ruleset version will increase. Time required varies by:

    Depending on what type of change was undone:

    • creating a rule (Decision Origin column contains "Action Page")
    • changing its action (Decision Origin column contains "Security Event" or "Ruleset Editor")

    a matching rule might no longer exist for the software. If so, it will reappear on the Actions tab.