White List - application control

Highlighted
Regular Member

White List - application control

Hi,

is there any way to add to the white list an applications which is not stored in Windows directory?

For example Internet Explorer. I want to avoid situations where iexplorer.exe is blocked every time after sending a new update.
I'm using Policy Manager 9 with "Deny" option set under Application Control tab. 

and second question concerning Application control tab. Is it possible to check the time when new exe file show up under "Unknown applications reported by host"?

1 ACCEPTED SOLUTION

Accepted Solutions
Regular Member

Re: White List - application control

I have 5 PMS running and it never worked like U saying. It's not only one host which behave like that, but every single machine managed from PMC.

 

I will make some tests on newly created PMS

 

 

View solution in original post

14 REPLIES 14
Former F-Secure Employee

Re: White List - application control

Hello Kallstrom,

 

It's not possible to add any applications to the application control whitelist residing outside the Windows directory.

 

When using the "deny" as a default action for outbound/inbound connections for unknown applications in application control it's strongly advised to have a few computers in a piloting group where you could roll-out new applications and updates prior to rolling them out for the whole domain. This way you'd have enough time to allow these applications.

 

There's no "arrival" or "first seen" date available in Policy Manager console regarding the new binaries under "Application Control Rules".

Regular Member

Re: White List - application control

Thanks

 

"arrival" date for application control would be a nice addition, hope to see this in future versions of PMS

Superuser

Re: White List - application control

Hi,

 

if IE is blocked every time you get an update for it, F-Secure is not configured correctly.

 

Please run ORSPDIAG and post the last 20 Lines of the output. Without ORSP-Connection you can not solve the problem.

 

Also it might help to clear the local list on the hosts because in rare ocasion it might get stuck. Please ask support for "AC-Clear.jar"

 

BR

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Regular Member

Re: White List - application control

by saying "every time" I mean that IE is blocked every time I send an update which change the version of IE so that is correct (?)

Superuser

Re: White List - application control

This should not happen.

 

IE is a well know application and the ORSP network should automatically confirm that the update is OK.

 

Please remove all IE entries from the AC-List in the PMC and also clear the AC-List on the Host that show this effect.

 

 

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Regular Member

Re: White List - application control

I have 5 PMS running and it never worked like U saying. It's not only one host which behave like that, but every single machine managed from PMC.

 

I will make some tests on newly created PMS

 

 

View solution in original post

Superuser

Re: White List - application control

Agin this is not normal, I never get a request about IE.

 

Those tests with a new PMS will not really change anything if the configuration is not correct.

 

Please provide the requested data and follow the oulined procedure!

Als mention the Versions in use and applied Hotfixes.

 

BR

 

 

 

 

 

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Regular Member

Re: White List - application control

When trying to run orspdiag.exe on a server i get:

 

 RCP communication error (is ORSP service running?)

checked all our servers and there is no FSORPS service running

 

I made orspdiag on a client

last 20 lines of the diag

Histogram of server query roundtrip times (ms):
[0: 0] [20: 0] [40: 0] [80: 0] [160: 0] [320: 0] [640: 0] [1280: 0] [2560: 0] [5
120: 0] [10240: 0]

Histogram of NRS safe:
[missing: 0] [empty: 0] [error: 0] [-100: 0] [-99: 0] [-79: 0] [-19: 0] [80: 0]
[100: 0]

Histogram of NRS lookups:
-

Histogram of NHIPS ratings from cache:
all:           [0: 1667] [150: 158]
last 14 days:  [0: 1369] [150: 158]
last 24 hours: [150: 155] [0: 21]

UUID: 89cee1a7-51de-4f66-8373-b7df65556932
Server: d96e61c9.de2
Status: 200
Connectivity state: Ok
CRL state: Ok
Proxies: -
Current proxy: -

Cache: 1825/10000 entries (NHIPS: 1825, NRS: 0), 398653 bytes

 

Server version 9.00.30231 hotfix 2

example client FSC 9.10 (294) HF05

Former F-Secure Employee

Re: White List - application control

 RCP communication error (is ORSP service running?)

Most common reason for this is, that the DeepGuard is actually disabled on the host by policy. I would suggest opening a support ticket about the issue.