Application control exclusion rules explained - WithSecure Community
<main>
<article class="userContent">
<p> </p> Application control exclusion rules explained <p>This article applies to the following F-Secure products: Computer Protection, PSB portal, Policy Manager. </p> <p> Application control is a premium feature that strengthens your protection for the installation and launch of applications, installers, and scripts. Predefined rules designed by F-Secure security experts block many of the common attack vectors of existing malware. In Application control, you can also add your own rules by selecting <strong>Add exclusion</strong>. </p> <p>Before deploying a new block rule, consider setting the rule action to <strong>Allow and monitor</strong>. All the application events matching the rule are reported in the <strong>Applications</strong> tab in the device details view. </p> <p>When creating a new rule, note that the order of the rule is important. For example, you may create a specific allow rule before a generic block rule to allow a specific application to run. You can use the arrows in the profile editor to change the rules order. </p> <div> Here we outline ways in which Application control offers prevention from attack vectors, such as common zero days and targeted attacks. The 3 main scenarios are: <ul><li>Prevent Microsoft Office exploit vulnerabilities; </li> <li>Block unwanted applications; and </li> <li>Restrict vulnerable applications by version. </li> </ul></div> <h3 data-id="prevent-microsoft-office-exploit-vulnerabilities">Prevent Microsoft Office exploit vulnerabilities</h3> <p> With malware exploits using MS Office vulnerabilities on the rise, it is becoming more common that malware of this type is being spread via documents arriving into a company network. Once the malware gets in, it can set itself up on the victim host and may also launch a new process, such as a PowerShell scripting engine. </p> <p> As an admin, you can therefore increase the security of your organization and block Microsoft Office programs from starting other apps. This type of restriction does not affect a normal user's work, as Microsoft Office applications do not usually start other apps. </p> <p><img src="https://us.v-cdn.net/6032052/uploads/882/VAB0JXNZWN4Z.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <div> To explain the rule further: <ul><li>The <strong>Parent path</strong> parameter refers to the application launcher, for example, <code class="code codeInline" spellcheck="false" tabindex="0">winword.exe</code>. <br><strong>Note:</strong> The exclusion rule expects that Microsoft Office is installed under the default location and uses the <code class="code codeInline" spellcheck="false" tabindex="0">%Program files%</code> environment variable. Application control supports system and user environment variables. </li> </ul><ul><li> <div> The <strong>Target command line</strong> parameter restricts the rule further by blocking only the powershell.exe processes. <p><strong>Note:</strong> To block any application from starting in MS Office, remove the second parameter. </p> </div> </li> </ul></div> <p> As powershell.exe is commonly used to configure workstation settings - if needed, you can then create an additional rule that disables the powershell.exe restriction, but allows only your own personal scripts. In the screenshot, we assume that your management scripts are stored under <code class="code codeInline" spellcheck="false" tabindex="0">c:\myscripts</code>. </p> <p><img src="https://us.v-cdn.net/6032052/uploads/375/ONM0R2EWZ5PZ.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <p> The exclusion rule explicitly allows powershell.exe, if its condition is <code class="code codeInline" spellcheck="false" tabindex="0">c:\myscripts\</code>. </p> <p>For example: <code class="code codeInline" spellcheck="false" tabindex="0">powershell C:\myscripts\login.ps1</code> </p> <p><strong>Note:</strong> The exclusion rule uses the "contains" condition to match paths, such as: </p><p><code class="code codeInline" spellcheck="false" tabindex="0">c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</code> </p> <p>This condition may accidentally match the "<code class="code codeInline" spellcheck="false" tabindex="0">c:\powershell.exe\myprogram.exe</code>" path. </p> <p>An alternative option is to specify the exact match with the "equal to value" as in: </p> <p>"<code class="code codeInline" spellcheck="false" tabindex="0">%SystemRoot%\WindowsPowerShell\v1.0\powershell.exe</code>", or use the "ends with" condition. </p> <h3 data-id="block-unwanted-applications">Block unwanted applications</h3> <p> Application control can also help with blocking unwanted applications; for example, games. The following example shows how to block the installation of Steam games. </p> <p><img src="https://us.v-cdn.net/6032052/uploads/306/KK33LT0PQST3.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <p> This rule is specified for MSI installers and blocks by installer subject, which is found in the Properties file: </p> <p><img src="https://us.v-cdn.net/6032052/uploads/571/OSL7ZT7Z2KSL.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <p> Application control allows you to specify rules for different meta properties of an application. The following example demonstrates blocking Spotify by copyright text: </p> <p><img src="https://us.v-cdn.net/6032052/uploads/329/IREOR9F4APWG.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <p> This rule blocks Spotify from starting regardless of where the file is installed. These properties are visible in the file details: </p> <p><img src="https://us.v-cdn.net/6032052/uploads/846/GDQ5FMZK6NSI.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <h3 data-id="restrict-vulnerable-applications-by-version">Restrict vulnerable applications by version</h3> <p> Application control is useful for restricting vulnerable applications from running, for example, to block an unpatched version. As an example, CCleaner has fixed a critical vulnerability in the latest version 5.42.148.6499 and any older versions can be blocked. </p> <p><img src="https://us.v-cdn.net/6032052/uploads/994/O7Q0NDQI7N0D.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <p> The condition for the target file version 'is less or equal to 5.41.*.*' The asterisk field indicates that only major and minor fields are used in comparison. As "CCleaner" is in the <strong>Target file description</strong>, the program is blocked regardless of the file name or its location. </p> <p><strong>Tip:</strong> To find the file version, check the Properties file. </p> <p><img src="https://us.v-cdn.net/6032052/uploads/045/2LATCCJGDXLD.png" alt="image" class="embedImage-img importedEmbed-img"></img></p> <div id="related"> <strong>Related information</strong> <ul><li><a rel="nofollow" href="https://community.f-secure.com/common-business-en/kb/articles/5528"> Reputation and prevalence properties used in Application Control rules </a></li> <li><a rel="nofollow" href="https://help.f-secure.com/product.html#business/policy-manager/14.20/en/task_44F342214C4349DEB0C6AE2B14E0C3FC-14.20-en">Adding an exclusion rule in Policy Manager </a></li> <li><a rel="nofollow" href="https://help.f-secure.com/product.html#business/psb-portal/latest/en/task_D5DDA11EBAE543F0977322A363DE879D-psb-portal-latest-en">Adding an exclusion rule in PSB portal </a></li></ul></div> <br>
</article>
</main>