Bitdefender B2B Help Center

Application Control

Overview

The lApplication Control module adds another layer of protection against a wide range of malware threats (ransomware, zero-day attacks, exploits on third party applications, Trojans, spyware, rootkits, adware and so on) by blocking unauthorized applications and processes from running.

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

Application Control reduces the attack surface that malware threats can leverage on the endpoint and prevents the installation and execution of any unwanted, untrusted or malicious applications.

Note

This module is available for:

  • Windows for workstations

  • Windows for servers

Configuration

Application Control enforces flexible policies that allow you to whitelist applications and manage the update permissions.

policy-app-control-ent.png

To enable Application Control for your current installed clients, run the Reconfigure Client task. After installing the module, you can view its status in Information window.

Important

Application Control highly affects Power User mode after application updates. For example, when a whitelisted application is updated, the endpoint submits the new information. GravityZone updates the rule with the new values and resends the policy.

You must run the Applications Discovery task to view the running applications and processes in your network. For more information, refer to Applications Discovery. Then, you can define Application Control rules.

Application Control runs in two modes:

  • Test Mode. Application Control only detects and reports the applications in Control Center, leaving them to run as usual. You can configure and test your whitelisting rules and policies, but applications will not be blocked.

  • Production Mode. Application Control blocks all unknown applications. Microsoft operating system processes and Bitdefender processes are whitelisted by default. Defined whitelisted applications will be allowed to run. To update whitelisted applications, you must define updaters. These are specific processes that are allowed to change existing applications. For more information, refer to Application Inventory.

Warning

  • To make sure legitimate applications are not restricted by Application Control, you must run Application Control in test mode first. This way you can make sure that the whitelisting rules and policies are properly defined.

  • Processes that are already running when the Application Control is set to Production Mode will be blocked after the next process restart.

To manage applications' permission to run:

  1. Select the Application Control check box, to enable this module.

  2. Use the Run in Test Mode check box to turn Test Mode on or off.

    Note

    • In test mode, you are notified if Application Control would have blocked a specific application. For more information, refer to Notifications.

    • Blocked Application notifications will be displayed in the Notification Area when new applications are detected and when blacklisted applications are blocked.

  3. Define process start rules.

Process start rules

Application Control allows you to manually authorize specific applications and processes, based on the hash of the executable, signing certificate thumbprint, and path of the application. You can also define rule exclusions.

Note

To obtain the custom values for the hash of the executable and thumbprint of the certificate, use Application Control tools.

The Process Start Rules table informs you of the existing rules, providing important information:

  • Rule priority. The rule with higher priority is closer to the top of the list.

  • Rule name and status.

  • Target applications and their permission to run. The target represents the number of conditions that must be matched in order for the rule to apply, or the number of applications or groups to which the rule applies.

To create a process start rule:

  1. Click the add.png Add button at the upper side of the table to open the configuration window.

  2. In the General section, enter a Rule name.

  3. Select the Enabled check box to activate the rule.

  4. In the Targets section, specify the rule destination:

    • Specific process or processes, to define a process that is allowed or denied from starting. You can authorize by path, hash or certificate. The conditions inside the rule are matched by logical AND.

      • To authorize an application from a specific path:

        1. Select Path in the Type column. Specify the path to the object. You can provide an absolute or relative pathname and use wildcard characters. The asterisk symbol (*) matches any file within a directory. A double asterisk (**) matches all files and directories in the defined directory. A question mark (?) matches exactly one character. You can also add a description to help identify the process.

        2. From the Select one or more context drop-down menu you can choose among local, CD-ROM, removable and network. You can block an application executed from a removable device, or allow it if the application is locally executed.

      • To authorize an application based on hash, select Hash in the Type column and enter a hash value. You can also add a description to help identify the process.

        Important

        To generate the hash value, download the Fingerprint tool. For more information, refer to Application Control tools

      • To authorize based on a certificate, select Certificate in the Type column and enter a certificate thumbprint. You can also add a description to help identify the process.

        Important

        To obtain the certificate thumbprint, download the Thumbprint tool. For more information, refer to Application Control tools

      policy_app_control_rules-ent.png

      Click add.png Add to add the rule.

    • Inventory applications or groups, to add a group or an application discovered in your network. You can view the applications running in your network on the Network > Application Inventory page. For more information, refer to Application Inventory.

      Insert the applications or group names in the field, separated by a comma. The auto-fill function displays suggestions as you type.

  5. Select the Include subprocesses check box to apply the rule to spawned child processes.

    Warning

    When setting rules for browser applications, it is recommended to turn off this option to prevent security risks.

  6. Optionally, you can also define exclusions from the process start rule. The adding operation is similar to the one described in the previous steps.

  7. In the Permissions section, choose whether to allow or deny the rule to run.

  8. Click Save to apply the changes.

To edit an existing rule:

  1. Click the rule name to open the configuration window.

  2. Enter the new values for the options you want to modify.

  3. Click Save to apply the changes.

To set the rule priority:

  1. Select the check box of the desired rule.

  2. Use the priority buttons at the right side of the table:

    • Click the up.png Up button to promote the selected rule.

    • Click the down.png Down button to demote it.

You can delete one or several rules at once. All you need to do is:

  1. Select the rules you want to delete.

  2. Click the delete.png Delete button at the upper side of the table. Once a rule is deleted, you cannot recover it.

Operation

Best practices

Troubleshooting