Rule Discovery Overview

Updated on

This activity will cover a variety of rules and approval methods App Control offers. For more information on approvals see earlier section (App Control Rules and Approvals)

In this activity you will be provided with a use case or scenario that can be solved by an App Control rule. After reading the use case, look through Software Rules (and all rule categories contained within) and determine what rule would best solve the given scenario. Answers and explanation will be provided in foldable section - expand only when ready to view answer.

Scenario One

The company VMturtles is using the App Control solution for their environment. They have a large number of Windows Servers that administrators manage - these Windows Servers all have App Control agents and are in High Enforcement.

VMturtles administrators use Microsoft SCCM to deploy new software and install updates as needed. The current App Control administrator, Sally, believes they must add each new updated application or net new application to the list of approved files using 'File Rules' in App Control.

As the newest member of the VMturtles team you believe there is a better method of allowing for trusted change in the environment. What rule do you suggest to the team in this scenario?

Scenario One Answer

SCCM Rapid Config

The Rapid Config rule for Microsoft SCCM resolves the given scenario. Rapid Configs come out-of-the-box (pre-built).

This rule approves software that is delivered by SCCM. This offloads manual approval of applications that IT administrators push out via SCCM to a perpetual and automated method.

Note: Another potential solution for this use case is creating a Trusted Directory. Trusted Directories can be added under the 'Directories' tab when viewing Software Rules. Trusted Directories can be used to automatically approve software during roll-outs. In this case, however, there is already an OOTB Rapid Config for Microsoft SCCM.

Scenario Two

vCarbon, a technology company, is implementing the App Control solution. Initially they want to deploy in a Low Enforcement level to ensure no operational interruptions while implementing initial approvals and trusted change.

The security team at vCarbon wants to ensure that even while in Low Enforcement a rule is in place to report and block known malicious binaries. They've asked you to find a solution in App Control that can accomplish this task. What rule do you suggest to the team in this scenario?

Scenario Two Answer

Malicious File Ban

The Event Rule to ban/report malicious binaries resolves the given scenario. Event rules give administrators the capability to take a variety of actions based on flexible file/computer triggers.

In the App Control console we have already created an event rule called 'Ban Malicious files' for this use case. In this rule,  if a malicious file is detected a ban action will take place.

Note: There are all sorts of things you can do with event rules! While you are looking at the event rules check out the other samples that have been provided - including a rule to analyze all browser or email downloaded files.

Scenario Three

An admin at the company vSpherical wants to allow files and applications to be downloaded and ran by users without his interaction in App Control. While they would like to allow users this freedom, they also want to limit this to only verifiably trusted files that come from a trusted publisher and the application itself is trustworthy.

What rule do you suggest in this scenario?

Scenario Three Answer

Reputation Approval

Enabling reputation approval with high publisher and file trust requirements resolves the given scenario. Reputation approval allows for dynamic approval of files based on administrator set thresholds of trust for app, publisher, or both.

Reputation approval is a fantastic way to allow for trusted change (and initial approval) while limiting that approval to verified, trustworthy apps and publishers.

Scenario Four

PowerShell, while being a trusted tool, can also be leverage by attackers to do a variety of malicious actions. App Control gives the ability to lock down trusted tools like PowerShell without interrupting necessary operations.

The Carbon Black team who created this lab environment needs to allow unapproved PowerShell script executions via PowerShell. They want to limit this to a specific path, C:\cbappcontroldemofiles and only allow this for local administrators.

What would you suggest to the team in this scenario?

Scenario Four Answer

Execution Control

Creating an Execution Control custom rule resolves the given scenario. Execution control offers administrators flexible customizability on how applications, files, and or users/groups interact. For example, you can create an Execution Control rule that allows only users in the 'Developers' group to run .dll files using a development tool like Visual Studio.

In the App Control console we have already created a custom execution rule called 'PowerShell Usage for App Control Lab' for this use case. This rule allows PowerShell script executions by PowerShell at the previously mentioned path, and only for local administrators.