cancel
Showing results for 
Search instead for 
Did you mean: 

Application control exclusion rules explained

Application control is a premium feature that strengthens your protection for the installation and launch of applications, installers, and scripts. Predefined rules designed by F-Secure security experts block many of the common attack vectors of existing malware. In Application control, you can also add your own rules by selecting Add exclusion.

In this article, we outline ways in which Application control offers prevention from attack vectors, such as common zero days and targeted attacks. The 3 main scenarios are:
  • Prevent Microsoft Office exploit vulnerabilities;
  • Block unwanted applications; and
  • Restrict vulnerable applications by version.

Prevent Microsoft Office exploit vulnerabilities

With malware exploits using MS Office vulnerabilities on the rise, it is becoming more common that malware of this type is being spread via documents arriving into a company network. Once the malware gets in, it can set itself up on the victim host and may also launch a new process, such as a PowerShell scripting engine.

As an admin, you can therefore increase the security of your organization and block Microsoft Office programs from starting other apps. This type of restriction does not affect a normal user's work, as Microsoft Office applications do not usually start other apps.

cp_app_control0.png

To explain the rule further:
  • The Parent path parameter refers to the application launcher, for example, winword.exe.
    Note: The exclusion rule expects that Microsoft Office is installed under the default location and uses the %Program files% environment variable. Application control supports system and user environment variables.
  • The Target command line parameter restricts the rule further by blocking only the powershell.exe processes.

    Note: To block any application from starting in MS Office, remove the second parameter.

As powershell.exe is commonly used to configure workstation settings - if needed, you can then create an additional rule that disables the powershell.exe restriction, but allows only your own personal scripts. In the screenshot, we assume that your management scripts are stored under c:\myscripts.

cp_app_control1.png

The exclusion rule explicitly allows powershell.exe, if its condition is c:\myscripts\.

For example: powershell C:\myscripts\login.ps1

Note: The exclusion rule uses the "contains" condition to match paths, such as:

c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

This condition may accidentally match the "c:\powershell.exe\myprogram.exe" path.

An alternative option is to specify the exact match with the "equal to value" as in:

"%SystemRoot%\WindowsPowerShell\v1.0\powershell.exe", or use the "ends with" condition.

Block unwanted applications

Application control can also help with blocking unwanted applications; for example, games. The following example shows how to block the installation of Steam games.

cp_app_control2.png

This rule is specified for MSI installers and blocks by installer subject, which is found in the Properties file:

cp_app_control2_1.png

Application control allows you to specify rules for different meta properties of an application. The following example demonstrates blocking Spotify by copyright text:

cp_app_control3.png

This rule blocks Spotify from starting regardless of where the file is installed. These properties are visible in the file details:

cp_app_control3_1.png

Restrict vulnerable applications by version

Application control is useful for restricting vulnerable applications from running, for example, to block an unpatched version. As an example, CCleaner has fixed a critical vulnerability in the latest version 5.42.148.6499 and any older versions can be blocked.

cp_app_control4.png

The condition for the target file version 'is less or equal to 5.41.*.*' The asterisk field indicates that only major and minor fields are used in comparison. As "CCleaner" is in the Target file description, the program is blocked regardless of the file name or its location.

Tip: To find the file version, check the Properties file.

cp_app_control4_1.png

Pricing & Product Info

For product info and pricing please go to the F-Secure product page

Version history
Revision #:
2 of 2
Last update:
‎29-05-2018 05:58 PM
Updated by:
 
Labels (2)