App Control Rules and Approvals Overview

Updated on

This section provides optional background related to the VMware Carbon Black App Control solution. If you have experience or background knowledge on the App Control solution this section may be skipped.

App Control can lock down critical systems by approving files and denying unapproved file execution. There are a variety of methods to control approvals and allow legitimate future change.

1. File States

Files are classified according to their state. Security policies, which are groups of rules, control how files are treated based on their state. There are two types of states: global and local. The main states a file can be are approved, banned, and unapproved.

Global state determines what the file is allowed to do on agent-managed computers. The global state is a combination of file state and publisher state. File state is the approval/ban state of the file itself while publisher state is the approval state of the file’s publisher (if it is known). For example, a file may be unapproved but comes from an approved publisher (ex: Microsoft) leading to a global state of approved. Global states are:

  • Approved for all computers
  • Approved by Policy (approved by some, unapproved for others)
  • Unapproved for all computers
  • Banned for all computers
  • Banned by Policy (banned for some, unapproved for others)
  • Mixed (banned for some, approved for others)

While App Control keeps a global state for a file, each instance of a file on a computer has its own local state. Local state indicates what the file is allowed to do on the computer it was found on. Local states are:

  • Approved
  • Banned
  • Unapproved
  • Deleted (file has been deleted and will be removed from database on next update)

If a file has a global state of unapproved, it may have a different local state. For example, in the Medium Enforcement Level (see enforcement level section for additional details) a user can locally approve an unapproved file to run  giving the file a local state of approved.

2. Rules and Approvals

Files can be approved and also unapproved using a variety of built in/custom rules. Unapproved files will not be allowed to run regardless of Enforcement Level unless in a disabled state.

3. Trusted Change

Trusted change refers to changes in the environment that are legitimate. Change in an environment can occur from new applications being pushed, updates to existing applications, and so forth. App Control enables administrators with methods to approve trusted change in the environment  removing the burden of manual approval when legitimate change does occur.

4. Rapid Config

SCCM Rapid Config

Rapid Configs are pre-built sets of custom rules that can be used to achieve more complex goals. They are curated by Carbon Black and built-in to the App Control solution. Rapid configs can accomplish use cases such as optimizing the interaction of App Control and a specific app, hardening of OS and apps, and approval of files created or delivered by certain tools or pathways.

One example of a rapid config is the Microsoft SCCM rule. This rule approves software that is delivered by SCCM. This offloads manual approval of applications that IT administrators push out via SCCM to a perpetual and automated method.

5. SolarWinds-Sunburst Protection

SolarWinds Rapid Config

Rapid configs are continuously updated by Carbon Black. A recent addition to the rapid config ruleset is the SolarWinds-Sunburst Protection rule. This rule prevents exploitation of the SolarWinds breach. For more detailed information about the rules in this rapid config see the following resource (must be current Carbon Black customer w/access to User Exchange to view): SolarWinds Rapid Configs

6. Updaters

Updater Rules

Updater rules permit users to install application updates from approved sources as they become available for download. The list of updater rules are curated by Carbon Black. These rules allow for automated approval for trusted change  allowing updates to selected applications.

7. Bulk Approval

Bulk approval refers to the initial approval to existing trusted files present on endpoint(s). When implementing application control bulk/initial approval accounts for the majority of approvals. Once the bulk approval is completed, administrators can then focus on trusted change over time.  App Control provides simple methods for approving trusted existing files.

8. Publisher

Publisher Rules

On the one-time initialization scan, App Control discovers each unique publisher identified in a valid certificate for a file.

Administrators can choose to approve, ban, or leave unapproved publishers that have been identified in the environment. A publisher can be approved for all computers or those in a specific policy.

A file identified as being from a publisher can only be approved by publisher if the certificates are considered valid by the operating system.

9. Reputation

Reputation Approval

Reputation approval rules are used to automatically approve files based on the file and publisher trust ratings. Automatic approval using reputation can give end users flexibility and reduce the effort of maintaining approvals.

Trust ratings are assigned by  Carbon Black File Reputation, which provides a cloud-based database of known files. Trust rating data combines file information from distribution partners, web crawlers, honeypots, and the Carbon Black user community. Reputation data provides context such as publisher and associated product (if any). The prior mentioned information is used by Carbon Black File Reputation to assign a threat level and trust rating (note: trust rating is also provided for publishers).

File trust ratings are given on a scale from 0 (lowest trust) to 10 (highest trust). Apps distributing known malicious software, for example, would have a trust value at or near 0. A signed OS file with no known vulnerabilities would have a trust value near 10.

Publisher trust ratings have four possible values: high, medium, low, and not trusted.

There are a number of options for reputation approval:

  • Approval based on file or publisher reputation
  • Approval based on a combination of file and publisher reputation
  • Approval based on trust threshold (ex: approve if file trust is greater than 8)

When implementing reputation rules it is important to consider rule scope. Reputation rules can be enabled for all endpoints with an App Control agent or by specific policy groups.

In addition, reputation approvals can be disabled for specific files or publishers you don't want to automatically approve. For example you may want to implement trust based on threshold but disable approval for the publisher Adobe, which has a high trust level.

When you enable reputation approvals, any manual file or publisher state assignments you have made remain in effect and take precedence over reputation. For example, if you ban a file by name or hash, that file remains banned even if it would have been approved by reputation.

10. Custom Rules

Custom Rules
General Description Field on Add/Edit Custom Rule Page
If this/these source process(es)... Process
…and/or this/these user(s)... User or Group
…attempts to perform this/these operation(s)... Operation (Execute, Write or Both)*
…on this/these files(s)... Path or File
…on computers in this/these policy(ies)... Rule applies to/Policies
…on computers reporting to this/these App Control server(s)... Rule applies to/Servers (if Unified Management is enabled)
…on computers running on this platform... Platform (ex: Windows)
…then this/these action(s) should be taken. Execute Action and/or Write Action

App Control offers administrators the capability to implement Custom Rules to address unique environmental concerns or use cases. Custom Rules define actions you want the agent to take in response to file, directory, or process activity that matches conditions you specify. They may be used to optimize performance, protect file integrity, create trusted file path for software distribution, or meet other special needs.

Many use cases can be fulfilled with Custom Rules including File Integrity Control (FIC). The following fields are used to create a custom rule:

Additional use cases for Custom Rules include but are not limited to:

  • File Integrity Control/File Integrity Monitoring (FIC/FIM)
  • Creating exception to other types of rules (such as approvals or bans)
  • Execution control
  • Approve files from software distributors
  • Allow installers to run only from trusted network path

Given the flexibility of Custom Rules, rules can be created to suit any number of use cases.

11. Event Rules

Event Rule Malicious File

Event Rules allow you to specify an action to be performed when a file- or computer-related event occurs that matches filters you define. Only events that relate to files or computers can be used to trigger these rules.

One common use case of an event rule is to take an action when a malicious file is detected.

A variety of actions are available to be taken when an event rules' criteria is met. You can chose to:

  • Change global file state
  • Change global process state
  • Change local file state
  • Upload a file
  • Delete a file
  • Analyze a file
  • Move computer (to a different policy)

Note: Event rules can be tested prior to implementation. Event rules may have significant impact across the environment - it is always recommended to test rules before implementation.

12. File Approval Method Reference

Approval Method Software is Approved For When to Use
Approving by Trusted Directory All computers (global) When you have a trusted, secure server (e.g., for software deployment) on which to create an authorized approval directory.
Approving by Trusted User/Group Installation computer only (local) When you want to give unlimited installation privileges to a Windows user account or all users in a Windows or AD group. Trusted users are allowed to install on any computer on which they log in with their credentials.
Approving or Banning by Publisher Installation computer only (local), but can be installed on demand by any computer When you want to approve all software from a vendor for which App Control can confirm a valid digital certificate. You also can approve or ban certificates that identify a publisher, and this affects file state.
Approving by Publisher Reputation Installation computer only (local), but can be installed on demand on any computer When you want to permit installation of application updates as they become available for download via specified application update programs.
Approving by Updater Installation computer only (local), but can be installed on demand on any computer
When you want to permit installation of application updates as they become available for download via specified application update programs.
Moving Computers to Local Approval Mode Installation computer only (local) When you want to permit users on computers in High Enforcement policies to install software. Local approval occurs when a user installs an unapproved file while in this mode.
Automatic Local Approval on Enforcement Level Change Installation computer only (local) When you want to locally approve unapproved files found while in Low enforcement or higher when you move the computer from a less secure Enforcement Level to either Medium or High.
Moving Computers to Local Approval Mode Installation computer only (local) When you want to permit users on computers in High Enforcement policies to install software. Local approval occurs when a user installs an unapproved file while in this mode.
Locally Approving All Unapproved Files on a Computer Installation computer only (local) When you want to locally approve all existing unapproved files on a specific computer.
Locally Approving Individual Files Installation computer only (local) When you want to select specific files on a computer for local approval. You can locally approve files or remove local approval.
Appoving Individual Files Installation computer only (local) When you want to automatically approve (by hash) all the software that Carbon Black File Reputation considers trustworthy.
Approving by Event Rule Varies by Rule When you want to automatically approve a file, either locall or globally, when it is included in a reported event.