- Solutions
-
- File Server: Ransomware Protection
- File Server: File Copy
- File Server: Audit File Access
- File Server: Storage growth reporting
- Licensing/Pricing
- Contact
There are a few steps to take in preparing for monitoring for and using Trusted Applications. Follow the guide below to get everything configured correctly. These steps will probably be spread out over a total of a few days.
Go to the Security Applications list and you'll see some entries for Microsoft Defender. Security Applications are special in that they are not monitored or restricted in any way. If you have additional security applications, such as a third party anti-virus application, add it here in the form of:
{program exectuable path}={digital signature company}
For example, if you use ESET you would enter:
C:\Program Files\ESET\ESET Endpoint Antivirus\ekrn.exe=ESET, spol. s r.o.
If a program in the Security Applications list is not signed by the given signer, it will be monitored like any other executable program.
If your company has a variety of anti-virus versions, vendors, etc, it is OK to add them all here. Just the ones that are running on any particular computer will be given the special status.
Some of the rules that you will use to determine whether an application should run or not will depend on the Trusted Publishers list. This is a list of the digital signers of the executable files (.exe, .dll, .sys, .ocx) that are installed on the systems that will be protected.
Rather than gathering these values manually, you can issue a command to the Satellites and optional Endpoints to scan local drives and collect all the digital signers, and add them to the Trusted Publishers list.
Scanning all of the executables on a server or workstation can take some time. The scan process purposely runs slowly so it doesn't impact the performance of the computer. Expect it to take a couple of hours. You can easily send a scan command using the following methods:
After a few hours, you can check the Trusted Publishers list and you'll probably see entries. A comment will show what computer the entry came from and what file just to help you understand what the application is which is connected to that digital signer. It's quite likely that many of the scans found any particular list entry, but only the first one that reports in adds the entry to the list.
The individual rules get run when a file access is attempted. The rule looks at attributes of the file being accessed, and the process that is accessing the file, and compares information to Trusted List values (such as the Trusted Publishers) using expression statements
Look at the Trusted Application Rules to see that they are setup to protect your systems how you want. For example, you might want to deny access to Command Host files, or allow them but only for administrators. There are some default rules that you can use, change or delete, as well as adding your own rules. The rules will get synchronized to the Central Server, Satellites and Endpoints automatically. None of the rules will be used until they are enabled.
Once rules are in place it's time to enable checks so the rules can do their work. There are two modes for the rules:
Enabling scanning is done in two ways:
Once scanning is enabled, warnings will probably start getting queued up for review. In the Console go to Trusted App Services > Access Warnings. Here you can see warnings filtered by user, by host and/or by time. Click on each warning to review the details about that file access.
If you need to change the Trusted Application Rules to handle a situation, all of the properties that could be operated on are shown on the right side of the display.
One thing that will often happen is you will need to white list a particular executable (perhaps because it isn't digitally signed for example). Next to the process name is a green +... button. Use that button to easily add the process to the Trusted Applications List. When you add it to the list, all warnings from that process are removed since it is now a handled situation.
One type of warning you can check on are performance warnings. This will let you know if any particular rule is slowing down file access. The goal is for normal file processing to proceed at full speed, and illegal file access to be stopped completely.
Once you are not getting blocking warnings for typical file access for a few days, it is time to start enabling Blocking Mode on the Central Server/Satellites and on Endpoints. It is a good idea to proceed slowly - enable it on a couple of servers or Endpoints at a time and see if any problems happen (which would indicate something happened that didn't happen while warnings were being watched).
Blocking Mode is enable with the Central Server/Satellites with each server's Trusted Applications Monitor, and for Endpoints it is via the Endpoint Operations, or via the Endpoint Services > Endpoint Trusted Application Checking page to change the default for Endpoints that are still using the defaults.
An easy way to prevent files being copied or moved to a cloud folder is to create a Deny rule which applies to Write and Move/Rename operations and is set to:
If you want the cloud service to still be able to put files into the cloud folder (for read-only access) you will need to allow it with something like the following which allows the rule to not apply to the DropBox service: