Table of contents

Set up Application Control

Application Control continuously monitors your server and logs an event whenever a software change occurs. It is not intended for environments with self-changing software or that normally creates executables, such as some web or mail servers. To ensure Application Control is appropriate for your environment, check What does Application Control detect as a software change?

For additional information, see About Application Control and Application Control Trust Entities.

To enable Application Control and monitor software changes:

  1. Turn on Application Control.
  2. Monitor new and changed software.
  3. Turn on maintenance mode when making planned changes.

Once you have enabled Application Control, you can also learn how to:

Turn on Application Control

You can enable Application Control in the settings for a computer or in policies:

  1. Open the Computer or Policy editor and go to Application Control > General.
  2. Set the Application Control State to On or Inherited (On).
  3. Under Enforcement, select your targeted protection state:
    • Block unrecognized software until it is explicitly allowed
    • Allow unrecognized software until it is explicitly blocked (you should choose this option when initially setting up Application Control)
  4. Click Save.

Screenshot of policy editor with Application Control enabled

The next time that Workload Security and the agent connect, the agent scans and then generates an inventory of all software installed on the computer and creates rules that allow all the software that it finds. This initial inventory can take 15 minutes or longer, depending on your environment.

To check that Application Control is working as expected, follow the instructions in Verify that Application Control is enabled.

Monitor new and changed software

Once an inventory has been created on a protected computer, any software executable files that are added or changed are classified as a software change and appear on the Actions page in Workload Security. When unrecognized software runs, or attempts to run and is blocked, the event is listed under Events & Reports > Events > Application Control Events > Security Events. For more information, see Application Control events.

After you initially enable Application Control, you are likely to see a lot of software changes on the Actions page. This can happen when allowed software creates new executables, renames files, or relocates files through the normal course of operation. As you add rules to tune Application Control, you should see fewer software changes.

To quickly find all software changes on all computers and easily create allow or block rules for them, use the Actions tab.

You can automate the creation of software ruleset allow or block rules using the Workload Security API. For more information, see Allow or block unrecognized software.

  1. In the Workload Security console, go to Actions.
  2. There are several ways you can filter to see only specific occurrences of unrecognized software.

    Instead of evaluating each software change on each computer individually, use the filters described below to find software changes that you know are good, and allow them in bulk.

    Actions tab allows you to view drift away from your approved software inventory, and to approve or block software. To filter the list, choose a time period, click blue links, or type search filters.

    To reduce the number of software changes being displayed:

    • From the drop-down list next to Application Control: Software Changes, select a time range such as Last 7 Days. You can also click a bar in the graph near the top of the page to display the changes for that time period.
    • In the pane on the left, click Computers and select an individual computer or group, or click Smart Folders to display only the computers that are included in a particular smart folder (see Group computers dynamically with smart folders).

      Unlike the Computers tab, the Software Changes pane usually does not show all computers. It only displays computers where Application Control has detected software changes that do not already have allow or block rules.

    • Enter search terms and operators in the search filter field. You search for these attributes: Change By Process, Change By User, File Name, Host Name, Install Path, MD5, SHA1, and SHA256. For example, you could find all changes made by a particular user that you trust and click Allow All to allow all of their changes. Or if a particular software update was installed across your organization (while maintenance mode was not enabled), filter the page according to the hash value of the file and click Allow All to allow all occurrences.

      Details about a software change are displayed in the right pane. You can click the file name or computer name in the details to add it to your search filter.

    • Select whether to Group by File (Hash) or Group by Computer.

  3. Click either Allow or Block to add an allow or block rule on that computer, for that software. If you need more information to decide whether to allow or block, click the software name, then use the details panel on the right side.

    The next time that the agent connects with Workload Security, it receives the new rules.

Tips for handling changes

  • For most environments, we suggest that you select the Allow unrecognized software until it is explicitly blocked option to allow software changes by default when you first enable Application Control and add allow and block rules for changes that you see on the Actions page. Eventually, the rate of software changes should decrease. At that point, you could consider blocking software changes by default and creating allow rules for the software that you know is good. Some organizations prefer to continue to allow changes by default and monitor the Actions page for software that should be blocked.
  • You may prefer to start by evaluating security events, rather than dealing with unrecognized software first. Security events show you which unrecognized software has run (or attempted to run). For information on security events, see Monitor Application Control events.
  • When an unrecognized file is allowed to execute and you want to continue to allow it, create an Allow rule. In addition to allowing the file's execution, the event is no longer logged for that file, which reduces noise and makes important events easier to find.
  • When a known file's execution is blocked, consider cleaning that file from the computer, especially for repeated occurrences.
  • Keep in mind that software changes are listed for each computer where they occur. You must allow or block the software for each computer.
  • Rules are assigned to computers, not to policies. For example, if helloworld.py is detected on three computers, when you click Allow All or Block All, this would affect only three computers. It won't affect future detections on other computers, because they have their own rulesets.
  • If you see changes related to software updates that you can control, use the maintenance mode feature when performing those updates. See Turn on maintenance mode when making planned changes.
  • Do not run Application Control in lockdown mode on computers and servers that have automatic updates enabled.

Turn on maintenance mode when making planned changes

When you install patches, upgrade software, or deploy web applications, Application Control will detect them. Depending on your setting for how to handle unrecognized software, this could block that software until you use the Actions tab to create allow rules.

To avoid extra down time and alerts during deployment and maintenance windows, you can put Application Control into a mode designed for maintenance windows. While maintenance mode is enabled, Application Control will continue to block software that is specifically blocked by an Application Control rule, but it will allow new or updated software to run and automatically add it to the computer's inventory.

You can automate maintenance mode using the Workload Security API. For more information, see Configure maintenance mode during upgrades.

  1. In the Workload Security console, go to Computers.
  2. Select one or more computers, then click Actions > Turn On Maintenance Mode.
  3. Select the duration of your maintenance window.

    Maintenance mode automatically disables itself when your maintenance window is scheduled to end. Alternatively, if you prefer to manually disable maintenance mode when updates are finished, select Indefinite.

    On the Dashboard, the Application Control Maintenance Mode Status widget indicates whether the command succeeded.

  4. Install or upgrade software.

  5. If you chose to disable maintenance mode manually, remember to disable maintenance mode in order to start to detect software changes again.

Application Control tips and considerations

  • For better performance with Application Control, use Workload Security anti-malware instead of Windows Defender. See Ensure that Windows Defender is fully disabled after installation of the Anti-Malware module on Windows Server 2016.
  • If you create a block rule for a batch file or PowerShell script, you will not be able to copy, move, or rename the file when using its associated interpreter (powershell.exe for PowerShell scripts or cmd.exe for batch files).
  • If you add an allow or block rule, it is typically sent to the agent the next time the agent connects to Workload Security. If you see an error saying that the ruleset upload was not successful, verify that network devices between the agent and Workload Security or relay allow communications on the heartbeat port number or relay port numbers.
  • To verify that a block rule is working, try to run the software that you just blocked. For details on how the agent detects changes, see What does Application Control detect as a software change?
  • When blocked software remains installed, Application Control continues to record logs and show alerts when it blocks the software from running. To reduce the permission error logs on the computer and also reduce your attack surface, uninstall the software that Application Control is blocking. Once that is done, if you want to dismiss related alerts, either go to Alerts or go to Dashboard, click the alert, and then click Dismiss Alert. Not all alerts can be dismissed. For more information, see Predefined alert definitions.
  • For performance reasons, if the computer has too much software change, Application Control continues to enforce existing rules, but stops detecting and displaying software changes. To resolve this, see Reset Application Control after too much software change.