This feature allows you to add a new application to the default list. Adding and unauthorizing an application or file that belongs to the operating system or other system specific aspects may cause system malfunction. Hence, it is advised to add an application that is not a part of operating system or other system related programs.
You can add an application as follows:
- Log on to the Thirtyseven4 EDR Security.
- Go to Configurations > Application Control.
- Select one of the following settings and expand.
- Allow All Applications
- Block All Applications
Allow All Applications
Allow All Application – By default all applications are allowed except applications present in blocklist.
- To add an application, click the Add Application button.
- To add an application, select one of the following option:
- Select Process Name and type process name.
- Application Signature Maker – You can import application signature file. To create application signature file, do the following:
- To download Application Signature Maker, click Download.
- After downloading the Maker, add the application name to create the application signature.
- Click Save to File. The AppSignature.dat file is created.
- Click Browse and select the path of the AppSignature.dat file.
- In the Application Name text box, type an application name.
- In the Application Category list, select a category.
- Write a reason for adding a new application to the default list of applications. This helps Thirtyseven4 EDR Security to improve the quality of the software product.
- You can also submit the application metadata to the Thirtyseven4 EDR Security lab.
- Click Save. The application is added in the ‘User Added Applications’ subcategory under the selected application category.
Submit Application Metadata to Thirtyseven4 EDR Security lab
With this option, you can send metadata of an application to the Thirtyseven4 EDR Security lab for including it in the application categories. Metadata includes information of application such as its Name, Version, Company Name, and MD5. You can also provide the reason for adding the application. This information will help us to improve the Application Control module.
Application Categories include thousands of applications based on their functionalities. If you block a category, all the applications in that category are blocked.
However, if you have unauthorized an application category but an application is not yet blocked, you can submit that application. Thirtyseven4 EDR Security analyzes the application and then enlists it in the category.
- User may get application blocked prompt even while copying or renaming any unauthorized application.
- Some unauthorized applications may start in case the application executable is updated due to software update. Such applications can be added to Thirtyseven4 EDR Security and you are recommended to submit the Metadata to the Thirtyseven4 EDR Security lab.
Block All Applications
By default all applications are blocked except applications present in the allowlist.
Here you can download Allowlist Creation Utility. This utility helps you create an allowlist.
On this page, you can do the following actions:
- Download Allowlist Creation Utility to create a new Allowlist
- View list of existing Allowlists
- Import Allowlist
- Duplicate Allowlist
- Edit Allowlist
- Delete Allowlist
Disclaimer
Admin needs to be mindful before configuring Application Control – Block All settings, there might be some consequences.
How to deploy new applications in the organization?
As an admin you first need to deploy any new application in the test environment with Monitoring Mode set to ON and generate a report before rolling out in the production environment. Once it is certified, you need to add the respective application installation folder in the Allowed Directory and add its publisher in the Allowed Publisher. Test the application again in Enforcement Mode to check if the application is working perfectly fine. Once confirmed, deploy the application in production environment with appropriate defined settings.
Important to know:
- It is recommended to enable the application control policy in Monitoring Mode to ensure that the application is working fine and then enable Enforcement Mode.
- You need to be cautious while using the Strict Publisher setting when it is turned ON. Since this setting takes highest precision, it may block applications under Allowed Directories, application installation from the network path, software update for publisher information not available under allowed directories, and so on.
- Application control settings impact applications while their installation behavior/process is changed. For example, if Microsoft update changes the folder location other than what is captured in golden image, third party software which installs their updated version on different location, applications belong to the company acquired by Microsoft or third party companies.
- Be informed that the Allowlist takes some time based on the network speed and the machine configurations to update the Endpoints after policy is saved. Until then application control will not work as per expectations.
- If admin blocks any application and if the policy is in the Monitor Mode, in that case application does not get blocked. Admin will see the respective application in Monitor Mode in application control report.
- If admin is trying to install any application from network path, it is important to ensure that network path is added in Allowed Directories and the Strict Publisher checkbox is not selected. Enabling Strict Publisher check may lead to block the applications to install.
How to check the publisher of the file?
Right click the file. Click Properties > Digital Signatures. Name of signer is the name of the publisher.
Creating Allowlist
To create a new Allowlist, follow these steps.
- Download Allowlist Creation Utility.
- Extract the zip file. After extracting the zip file, allowlist_creator.exe and baselineconf files are available.
- On the command prompt, run allowlist_creator.exe.
This application discovers all installed applications on the OS drive and creates the allowlist json file. - Enter allowlist title and description. Press enter.
The allowlist is created. The allowlist location and result summary appear.
Duplicating Allowlist
To duplicate an Allowlist, follow these steps:
- Go to Configurations > Application Control> Block All Applications.The page expands displaying the list of Allowlist.
- Click the duplicate icon of the Allowlist that you want to duplicate.
- The duplicated Allowlist name appears in the next row. Edit the name of the Allowlist. Click the checkmark icon to save the Allowlist. The selected Allowlist is duplicated.
Deleting Allowlist
To delete an Allowlist, follow these steps.
- Go to Configurations > Application Control> Block All Applications. The page expands displaying the list of Allowlist.
- Select the Allowlist you want to delete, then click the Delete button. A confirmation message appears.
- If you are sure to delete the selected Allowlist, click YES.
If the selected Allowlist is applied to a group, it cannot be deleted, and a failure message appears.
Importing Allowlist
To import an Allowlist, follow these steps:
- Go to Configurations > Application Control> Block All Applications. The page expands displaying the list of Allowlist.
- Click Import Allowlist button.
- In the Import Allowlist dialog, import a json file by clicking Browse. The file size must be less than or equal to 70 MB.
- Enter Allowlist Name.
- Enter Allowlist Description.
- Click Import.
The allowlist is imported.
Editing Allowlist
To edit an Allowlist, follow these steps:
- Go to Configurations > Application Control> Block All Applications.
The page expands displaying the list of Allowlist. - Click the edit icon of the Allowlist that you want to edit.
- The edit page appears with the Allowlist Name and Description. The following 4 settings are provided.
- Tree View – Discovered Directories and Applications
- Allowed Directories
- Manage Applications
- Allowed Publishers
- Expand and edit the settings as per requirement.
- Click Update Allowlist.
The Allowlist is updated.
Tree View – Discovered Directories and Applications
Tree view is a visualization type that lets users expand and collapse nodes to show information at varying levels of detail.
When you expand Tree View, the directory and applications tree of the system appear.
To add directory, follow these steps.
- Select the name of the directory you want to add, then click the Add button.
- The success message appears. Click OK.The directory is added in the list of allowed directories.
To delete directory, follow these steps.
- To Delete the Directory, select the Directory that you want to delete.
The Delete button appears. - Click the Delete Button.
Allowed Directories
The list of allowed directories is displayed here. You can search for a directory by providing the name of the directory.
The strict publisher checkbox Check publisher for applications launched from allowed directory is not selected by default. If it is selected, then publisher will be checked for applications launched from allowed directory.
The directory added in the Tree view appears here. A toggle switch can help you to change the rights of the directory.
To add a directory, follow these steps.
- To add a directory, click Add. Add Directory dialog appears.
- Enter the Directory name.
- Select the option Yes or No to allow the directory.
- Click Add.
The directory is added in the list of allowed directories.
To delete directory, follow these steps.
-
To Delete the Custom Directory, select the Custom Directory that you want to delete.
The Delete button appears. - Click the Delete Button.
Manage Applications
The list of explicitly allowed/blocked applications is displayed here.
To add an application, follow these steps.
- To add an application, click Add. Add Application dialog appears.
- Enter the Application name.
- Select the option Allowed or Blocked.
- Click Add.
The application is added in the list of applications with the status as per selection while adding the application.
You can search for an application by providing the name of the application.
To delete directory, follow these steps.
-
To Delete the application, select the application that you want to delete.
The Delete button appears. - Click the Delete Button.
Allowed Publishers
The list of allowed publishers is displayed here. You can search for a publisher by providing the name of the publisher.
A toggle switch can help you to change the rights of the publisher.
To add a publisher, follow these steps.
- To add a publisher, click Add. Add Publisher dialog appears.
- Enter the Publisher name.
- Select the option Yes or No to allow the publisher.
- Click Add.
The publisher is added in the list of allowed publishers.
To delete directory, follow these steps.
- To Delete the publisher, select the publisher that you want to delete.
The Delete button appears. - Click the Delete Button.