Day to Day Operations with Trusted Applications (Application Whitelisting)

Once you have the Trusted Applications feature up and running, and blocking access when it is not allowed, the day to day operations become fairly simple.

Watch Alerts

It is important to receive alerts when file access is blocked. Ideally, only malware would be blocked so file access alerts should be rare. If you get alerts that aren't malware, it might be a user trying to run a legitimate application that hasn't been allowed yet.

Allowing Legitimate Applications

Typically you'll see an alert about a blocked (or test-blocked) application in the Access Warnings dialog. Since typical rules will allow access to files from the Trusted Applications list, the easiest thing to do is add the blocked application to the list. This can be done by clicking the green button as shown in the image below:

Clicking this button will send a query to the Central Service, Satellites, and Endpoints to get a list of signers, file sizes and file dates for that particular file. If the next attempt to launch matches those criteria, the application will be trusted and allowed to run.

To make warnings easier to look at, other warnings coming from the same application will be cleared since they probably wouldn't have happened now that the application is in the Trusted Application List.

Other Ways to Allow Legitimate Applications

Besides clicking the green button on the Access Warnings dialog as shown above, there are three other ways to allow legitimate applications to run:

Use the Trusted Publishers List

Any application that is digitally signed by a company in the Trusted Publisher's list can run based on one of the default rules. So adding to the Trusted Publishers list is an easy way to allow many legitimate applications. The Getting Started page suggested sending a command to the Central Server, Satellites and Endpoints to automatically scan and load the Trusted Publishers list with all digital signers for software currently installed.

Add a Rule for the Application

It is possible to add a specific rule for an application, such as:

(FILE_PATH = "C:\Program Files\MyApplication\*") OR (PROCESS_PATH = "C:\Program Files\MyApplication\*")

This can become hard to manage, so the next idea is a better suggestion.

Use Custom Lists

Use one of the Custom Lists to keep track of applications or application folders that need to be able to run (often because they are not digitally signed), and then create a rule that allows software in the Custom List to run. For example, this custom list:

and this associated rule would allow applications in the above folders to run:

Note that the title of the rule can be anything - just the rule itself needs to refer to the Custom List name.

Pausing Rules

There might be times when the Trusted Application Rules need to be temporarily turned off such as when new software is installed or upgraded. To do this:

• For the Central Server or Satellites: Go to the Trusted Applications monitor, and specify how long rules should be paused and then press the Pause Rules button.
• For Endpoints: Go to the Endpoint Operations page, select/filter to those Endpoints that need to be operated on, and click the Paused Trusted Application Checking button at the lower right corner. This will pause checks for 15 minutes. Each time the button is clicked, the 15 minutes for the selected Endpoints is reset.