Set up application control

For information about how application control works, see Lock down software with application control.

To enable application control and monitor software changes:

  1. Turn on application control
  2. Monitor new and changed software
  3. Turn on maintenance mode when making planned changes

This article also provides Application control tips and considerations that you should be aware of when working with application control.

Once you've enabled application control, you can also learn how to:

Turn on application control

You can enable application control in the settings for a computer or in policies:

  1. Open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and go to Application Control > General.
  2. Set the Application Control State to "On" or "Inherited (On)".
  3. Under Enforcement, select your targeted protection state:
    • Block unrecognized software until it is explicitly allowed
    • Allow unrecognized software until it is explicitly blocked (we recommend that you choose this option when initially setting up application control)
  4. Click Save.

Screenshot of policy editor with application control enabled

The next time that the Deep Security Manager and agent connect, the agent scans and then generates an inventory of all software installed on the computer and creates rules that allow (whitelist) all the software that it finds. This initial inventory can take 15 minutes or longer, depending on your environment.

To check that application control is working as expected, follow the instructions in Verify that application control is enabled.

Monitor new and changed software

After the inventory has finished on a protected computer, any software executable files that are added or changed are classified as a "software change" and appear on the Actions page in Deep Security Manager. When unrecognized software runs, or attempts to run and is blocked, the event is listed under Events & Reports > Events > Application Control Events > Security Events.

After you initially enable application control, you will likely see a lot of software changes on the Actions page. This can happen when allowed software creates new executables, renames files, or relocates files through the normal course of operation. As you add rules to tune application control, you should see fewer software changes.

To quickly find all software changes on all computers and easily create allow or block rules for them, use the Actions tab.

  1. In Deep Security Manager, go to Actions.
  2. There are several ways you can filter to see only specific occurrences of unrecognized software.

    Instead of evaluating each software change on each computer individually, use the filters described below to find software changes that you know are good, and allow them in bulk.

    Actions tab allows you to view drift away from your approved software inventory, and to whitelist or blacklist unapproved software. To filter the list, choose a time period, click blue links, or type search filters.

    To reduce the number of software changes being displayed:

    • From the drop-down list next to Application Control: Software Changes, select a time range such as Last 7 Days. You can also click a bar in the graph near the top of the page to display the changes for that time period.
    • In the pane on the left, click Computers and select an individual computer or group, or click Smart Folders to display only the computers that are included in a particular smart folder (see Group computers dynamically with smart folders).
      Unlike the Computers tab, the Software Changes pane usually does not show all computers. It only displays computers where application control has detected software changes that don't already have allow or block rules.
    • Enter search terms and operators in the search filter field. You search for these attributes: Change By Process, Change By User, File Name, Host Name, Install Path, MD5, SHA1, and SHA256. For example, you could find all changes made by a particular user that you trust and click Allow All to allow all of their changes. Or if a particular software update was installed across your organization (while maintenance mode was not enabled), filter the page according to the hash value of the file and click Allow All to allow all occurrences.

      Details about a software change are displayed in the right pane. You can click the file name or computer name in the details to add it to your search filter.

    • Select whether to Group by File (Hash) or Group by Computer.
  3. Click either Allow or Block to add an allow or block rule on that computer, for that software. If you need more information to decide whether to allow or block, click the software name, then use the details panel on the right side.
    When you allow or block software from the Actions page, feedback such as "Blocked 24 files" appears at the bottom of the page. If you haven't done anything else yet, you can undo that action by clicking Undo. If you've performed other actions since then, the Undo button disappears or changes to reflect your newest allow or block rule change. If you need to edit the rules later, see View and change application control rulesets.
    undo application control

    The next time that the agent connects with the Deep Security Manager, it receives the new rules.

Tips for handling changes

  • For most environments, we suggest that you select the Allow unrecognized software until it is explicitly blocked option to allow software changes by default when you first enable application control and add allow and block rules for changes that you see on the Actions page. Eventually, the rate of software changes should decrease. At that point, you could consider blocking software changes by default and creating allow rules for the software that you know is good. Some organizations prefer to continue to allow changes by default and monitor the Actions page for software that should be blocked.
  • You may prefer to start by evaluating security events, rather than dealing with unrecognized software first. Security events show you which unrecognized software has run (or attempted to run). For information on security events, see Monitor application control events.
  • When an unrecognized file is allowed to execute and you want to continue to allow it, create an Allow rule. In addition to allowing the file's execution, the event is no longer logged for that file, which reduces noise and makes important events easier to find.
  • When a known file's execution is blocked, consider cleaning that file from the computer, especially for repeated occurrences.
  • Keep in mind that software changes are listed for each computer where they occur. You must allow or block the software for each computer.
  • Rules are assigned to computers, not to policies. For example, if helloworld.py is detected on three computers, when you click Allow All or Block All, this would affect only three computers. It won't affect future detections on other computers, because they have their own rulesets.
  • If you see changes related to software updates that you can control, use the maintenance mode feature when performing those updates. See Turn on maintenance mode when making planned changes.

Turn on maintenance mode when making planned changes

When you install patches, upgrade software, or deploy web applications, application control will detect them. Depending on your setting for how to handle unrecognized software, this could block that software until you use the Actions tab to create allow rules.

To avoid extra down time and alerts during deployment and maintenance windows, you can put application control into a mode designed for maintenance windows. While maintenance mode is enabled, application control will continue to block blacklisted software, but it will allow new or updated software to run and automatically add it to the computer's inventory whitelist.

If you selected Block unrecognized software until it is explicitly allowed, you must enable maintenance mode before you update the computer's operating system. This includes when you perform an "update and restart" action on a computer running Microsoft Windows. Failure to do this could break the computer: application control would block execution of updated files in the OS until you create the allow rules. Depending on which OS file was updated, you might need to use an OS recovery mode or external tool to recover from this misconfiguration.
  1. In Deep Security Manager, go to Computers.
  2. Select one or more computers, then click Actions > Turn On Maintenance Mode.
  3. Select the duration of your maintenance window.

    Maintenance mode will automatically disable itself when your maintenance window is scheduled to end. Alternatively, if you'd prefer to manually disable maintenance mode when updates are finished, select Indefinite.

    On the Dashboard, the Application Control Maintenance Mode Status widget indicates whether the command succeeded.

  4. Install or upgrade software.
  5. If you chose to disable maintenance mode manually, remember to disable maintenance mode in order to start to detect software changes again.

Application control tips and considerations

  • For better performance with application control, use Deep Security anti-malware instead of Windows Defender. See Disable Windows Defender after installing Deep Security anti-malware on Windows Server 2016.
  • If you create a block rule for a batch file or PowerShell script, you will not be able to copy, move, or rename the file when using its associated interpreter (powershell.exe for PowerShell scripts or cmd.exe for batch files).
  • If you add an allow or block rule, it is normally sent to the agent the next time the agent connects to Deep Security Manager. If you see an error saying that the ruleset upload was not successful, verify that network devices between the agent and the manager or relay allow communications on the heartbeat port number or relay port numbers.
  • To verify that a block rule is working, try to run the software that you just blocked. To match the rule, software must be in the same location and have the same hash, path, and file name.
  • When blocked software remains installed, application control continues to record logs and show alerts when it blocks the software from running. To reduce the permission error logs on the computer and also reduce your attack surface, uninstall the software that application control is blocking. Once that is done, if you want to dismiss related alerts, either go to Alerts or go to Dashboard, click the alert, and then click Dismiss Alert. Not all alerts can be dismissed. For more information, see Predefined alerts.
  • For performance reasons, if the computer has too much software change, application control will continue to enforce existing rules, but stop detecting and displaying software changes. To resolve this, see Reset application control after too much software change.