Javascript must be enabled to download our products and perform other essential functions on the website.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f
site search
Help Menu

This help page is for version 9.0. The latest available help is for version 9.4.

Getting Started with Trusted Applications (Application Whitelisting)

There are a few steps to take in preparing for monitoring for and using Trusted Applications. Follow the guide below to get everything configured correctly. These steps will probably be spread out over a total of a few days.

Security Applications

Go to the Security Applications list and you'll see some entries for Microsoft Defender. Security Applications are special in that they are not monitored or restricted in any way. If you have additional security applications, such as a third party anti-virus application, add it here in the form of:

{program exectuable path}={digital signature company}

For example, if you use ESET you would enter:

C:\Program Files\ESET\ESET Endpoint Antivirus\ekrn.exe=ESET, spol. s r.o.

If a program in the Security Applications list is not signed by the given signer, it will be monitored like any other executable program.

If your company has a variety of anti-virus versions, vendors, etc, it is OK to add them all here. Just the ones that are running on any particular computer will be given the special status.

Trusted Publishers

Some of the rules that you will use to determine whether an application should run or not will depend on the Trusted Publishers list. This is a list of the digital signers of the executable files (.exe, .dll, .sys, .ocx) that are installed on the systems that will be protected.

Rather than gathering these values manually, you can issue a command to the Satellites and optional Endpoints to scan local drives and collect all the digital signers, and add them to the Trusted Publishers list.

Scanning all of the executables on a server or workstation can take some time. The scan process purposely runs slowly so it doesn't impact the performance of the computer. Expect it to take a couple of hours. You can easily send a scan command using the following methods:

  • Central Server and Satellites: Use Bulk Config's "Computers: Scan for Trusted Publishers". This will issue the command. After a short time the Satellite's status report will show it is scanning.
  • Endpoints: Go to Endpoint Operations and select the Endpoints you want to scan (all of them is recommended) and use the "Request Trusted Publishers Scan" button. Nothing visual happens when you click the button, but commands will get sent to the Endpoints to start scanning.

After a few hours, you can check the Trusted Publishers list and you'll probably see entries. A comment will show what computer the entry came from and what file just to help you understand what the application is which is connected to that digital signer. It's quite likely that many of the scans found any particular list entry, but only the first one that reports in adds the entry to the list.

Trusted Application Rules

The individual rules get run when a file access is attempted. The rule looks at attributes of the file being accessed, and the process that is accessing the file, and compares information to Trusted List values (such as the Trusted Publishers) using expression statements

Look at the Trusted Application Rules to see that they are setup to protect your systems how you want. For example, you might want to deny access to Command Host files, or allow them but only for administrators. There are some default rules that you can use, change or delete, as well as adding your own rules. The rules will get synchronized to the Central Server, Satellites and Endpoints automatically. None of the rules will be used until they are enabled.

Enabling Rule Checking

Once rules are in place it's time to enable checks so the rules can do their work. There are two modes for the rules:

  • Testing Mode: This is where all file access is still allowed as normal, but warnings are issued for file access that would have been blocked by the rules. It is recommended to start out with Testing Mode until the rules are all working exactly as expected.
  • Blocking Mode: This mode is what provides protection. Once the rules are working correctly, this mode will block file access to anything that doesn't match rules.

Enabling scanning is done in two ways:

  • Central Server and/or Satellites: Create a Trusted Applications Monitor on the server. You'll note there is a setting for Testing/Blocking Mode as well as alerting. If you ever need to disable the scanning (perhaps to do an installation of a new application) you can disable the monitor.
  • Endpoints: Go to Endpoint Operations and choose the Endpoints to operate on. Near the bottom right are settings under the Trusted Application Checking title. This lets you set the Test/Block mode, enable/disable scanning and enable/disable alerting. By default, all Endpoints use a global default. With Endpoint Operations you can give specific Endpoints specfic settings for testing. Once everything is working well, you can use the Endpoints > Endpoint Trusted Application Checking node in the Console to change the defaults.

Check Warnings

Once scanning is enabled, warnings will probably start getting queued up for review. In the Console go to Trusted App Services > Access Warnings. Here you can see warnings filtered by user, by host and/or by time. Click on each warning to review the details about that file access.

If you need to change the Trusted Application Rules to handle a situation, all of the properties that could be operated on are shown on the right side of the display.

One thing that will often happen is you will need to white list a particular executable (perhaps because it isn't digitally signed for example). Next to the process name is a green +... button. Use that button to easily add the process to the Trusted Applications List. When you add it to the list, all warnings from that process are removed since it is now a handled situation.

Performance Warnings

One type of warning you can check on are performance warnings. This will let you know if any particular rule is slowing down file access. The goal is for normal file processing to proceed at full speed, and illegal file access to be stopped completely.

Enable Blocking

Once you are not getting blocking warnings for typical file access for a few days, it is time to start enabling Blocking Mode on the Central Server/Satellites and on Endpoints. It is a good idea to proceed slowly - enable it on a couple of servers or Endpoints at a time and see if any problems happen (which would indicate something happened that didn't happen while warnings were being watched).

Blocking Mode is enable with the Central Server/Satellites with each server's Trusted Applications Monitor, and for Endpoints it is via the Endpoint Operations, or via the Endpoint Services > Endpoint Trusted Application Checking page to change the default for Endpoints that are still using the defaults.

An easy way to prevent files being copied or moved to a cloud folder is to create a Deny rule which applies to Write and Move/Rename operations and is set to:

(FILE_PATH_IN_CLOUD_FOLDER = True)

If you want the cloud service to still be able to put files into the cloud folder (for read-only access) you will need to allow it with something like the following which allows the rule to not apply to the DropBox service:

(FILE_PATH_IN_CLOUD_FOLDER = True) AND (PROCESS_PATH != "*\DbxSvc.exe")
 

PA File Sight

Help Map