The company VMturtles is using the App Control solution for their environment. They have a large number of Windows Servers that administrators manage - these Windows Servers all have App Control agents and are in High Enforcement.

VMturtles administrators use Microsoft SCCM to deploy new software and install updates as needed. The current App Control administrator, Sally, believes they must add each new updated application or net new application to the list of approved files using 'File Rules' in App Control.

As the newest member of the VMturtles team you believe there is a better method of allowing for trusted change in the environment. What rule do you suggest to the team in this scenario?

The Rapid Config rule for Microsoft SCCM resolves the given scenario. Rapid Configs come out-of-the-box (pre-built).

This rule approves software that is delivered by SCCM. This offloads manual approval of applications that IT administrators push out via SCCM to a perpetual and automated method.

vCarbon, a technology company, is implementing the App Control solution. Initially they want to deploy in a Low Enforcement level to ensure no operational interruptions while implementing initial approvals and trusted change.

The security team at vCarbon wants to ensure that even while in Low Enforcement a rule is in place to report and block known malicious binaries. They've asked you to find a solution in App Control that can accomplish this task. What rule do you suggest to the team in this scenario?

The Event Rule to ban/report malicious binaries resolves the given scenario. Event rules give administrators the capability to take a variety of actions based on flexible file/computer triggers.

In the App Control console we have already created an event rule called 'Ban Malicious files' for this use case. In this rule,  if a malicious file is detected a ban action will take place.

An admin at the company vSpherical wants to allow files and applications to be downloaded and ran by users without his interaction in App Control. While they would like to allow users this freedom, they also want to limit this to only verifiably trusted files that come from a trusted publisher and the application itself is trustworthy.

What rule do you suggest in this scenario?

Enabling reputation approval with high publisher and file trust requirements resolves the given scenario. Reputation approval allows for dynamic approval of files based on administrator set thresholds of trust for app, publisher, or both.

Reputation approval is a fantastic way to allow for trusted change (and initial approval) while limiting that approval to verified, trustworthy apps and publishers.

PowerShell, while being a trusted tool, can also be leverage by attackers to do a variety of malicious actions. App Control gives the ability to lock down trusted tools like PowerShell without interrupting necessary operations.

The Carbon Black team who created this lab environment needs to allow unapproved PowerShell script executions via PowerShell. They want to limit this to a specific path, C:\cbappcontroldemofiles and only allow this for local administrators.

What would you suggest to the team in this scenario?

Creating an Execution Control custom rule resolves the given scenario. Execution control offers administrators flexible customizability on how applications, files, and or users/groups interact. For example, you can create an Execution Control rule that allows only users in the 'Developers' group to run .dll files using a development tool like Visual Studio.

In the App Control console we have already created a custom execution rule called 'PowerShell Usage for App Control Lab' for this use case. This rule allows PowerShell script executions by PowerShell at the previously mentioned path, and only for local administrators.