Application control is a premium feature that strengthens your
protection for the installation and launch of applications, installers, and
scripts. Predefined rules designed by F-Secure security experts block many of
the common attack vectors of existing malware. In Application control, you can
also add your own rules by selecting
Add exclusion.
Before deploying a new block rule, consider setting the rule action to
Allow and monitor. All the application events
matching the rule are reported in the
Applications tab in the device details view.
When creating a new rule, note that the order of the rule is important.
For example, you may create a specific allow rule before a generic block rule
to allow a specific application to run. You can use the arrows in the profile
editor to change the rules order.
Here we outline ways in which Application control offers prevention
from attack vectors, such as common zero days and targeted attacks. The 3 main
scenarios are:
Prevent Microsoft Office
exploit vulnerabilities;
Block unwanted applications;
and
Restrict vulnerable
applications by version.
Prevent Microsoft Office exploit vulnerabilities
With malware exploits using MS Office vulnerabilities on the rise, it
is becoming more common that malware of this type is being spread via documents
arriving into a company network. Once the malware gets in, it can set itself up
on the victim host and may also launch a new process, such as a PowerShell
scripting engine.
As an admin, you can therefore increase the security of your
organization and block Microsoft Office programs from starting other apps. This
type of restriction does not affect a normal user's work, as Microsoft Office
applications do not usually start other apps.
To explain the rule further:
The
Parent path parameter refers to the
application launcher, for example,
winword.exe .
Note: The exclusion rule expects that Microsoft Office is installed
under the default location and uses the
%Program files% environment variable.
Application control supports system and user environment variables.
The
Target command line parameter restricts the
rule further by blocking only the powershell.exe processes.
Note: To block any application from starting in MS Office, remove
the second parameter.
As powershell.exe is commonly used to configure workstation settings
- if needed, you can then create an additional rule that disables the
powershell.exe restriction, but allows only your own personal scripts. In the
screenshot, we assume that your management scripts are stored under
c:\myscripts .
The exclusion rule explicitly allows powershell.exe, if its condition
is
c:\myscripts\ .
For example:
powershell C:\myscripts\login.ps1
Note: The exclusion rule uses the "contains" condition to match paths,
such as:
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
This condition may accidentally match the
" c:\powershell.exe\myprogram.exe " path.
An alternative option is to specify the exact match with the
"equal to value" as in:
" %SystemRoot%\WindowsPowerShell\v1.0\powershell.exe ",
or use the "ends with" condition.
Block unwanted applications
Application control can also help with blocking unwanted
applications; for example, games. The following example shows how to block the
installation of Steam games.
This rule is specified for MSI installers and blocks by installer
subject, which is found in the Properties file:
Application control allows you to specify rules for different meta
properties of an application. The following example demonstrates blocking
Spotify by copyright text:
This rule blocks Spotify from starting regardless of where the file
is installed. These properties are visible in the file details:
Restrict vulnerable applications by version
Application control is useful for restricting vulnerable applications
from running, for example, to block an unpatched version. As an example,
CCleaner has fixed a critical vulnerability in the latest version 5.42.148.6499
and any older versions can be blocked.
The condition for the target file version 'is less or equal to
5.41.*.*' The asterisk field indicates that only major and minor fields are
used in comparison. As "CCleaner" is in the
Target file description, the program is blocked
regardless of the file name or its location.
Tip: To find the file version, check the Properties file.
Related information
Reputation and prevalence properties used in Application
Control rules
... View more