Beruflich Dokumente
Kultur Dokumente
Administration Guide
Guide
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE ii
Notice
Copyright in the whole and every part of this manual belongs to AppSense Limited
("the Owner") and may not be used, sold, transferred, copied or reproduced in whole
or in part in any manner or form or in or on any media to any person other than in
accordance with the terms of the Owner's Agreement or otherwise without the prior
written consent of the Owner.
Trademarks
AppSense and the AppSense logo are registered trademarks of AppSense Holdings Ltd.
Microsoft, Windows and SQL Server are trademarks or registered trademarks of
Microsoft Corporation. Fluent is a trademark of Microsoft Corporation and the Fluent
user interface is licensed from Microsoft Corporation. Other brand or product names
are trademarks or registered trademarks of their respective holders.
C O N T E N T S
Welcome viii
About this Document viii
Terms and Conventions viii
Feedback ix
iii
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE CONTENTS iv
Chapter 4 Rules 29
Manage Rules 29
Group Rules 30
User Rules 30
Device Rules 30
Custom Rules 31
Scripted Rules 32
Security Level 35
Tasks 36
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE CONTENTS v
Chapter 10 Auditing 68
Audit 68
Local Events 70
Appendixes
Appendix A System Requirements 81
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE CONTENTS vii
Appendix D Licensing 87
About License Manager 88
Managing Licenses 89
Troubleshooting 90
Glossary 93
W E L C O M E
Document Information
Publication number 3
Convention Use
Bold Highlights items you can select in Windows and the product interface, including
nodes, menus items, dialog boxes and features.
Italic Highlights values you can enter in console text boxes and titles for other guides and
Helps in the documentation set.
viii
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE WELCOME ix
Feedback
Convention Use
Tip — Offers additional techniques and help for users, to demonstrate the
advantages and capabilities of the product.
Feedback
The AppSense Documentation team aim to provide clear, accurate and high quality
documentation to assist you in the installation, configuration and ongoing operation of
AppSense products.
We are constantly striving to improve the documentation content and greatly value and
appreciate any contribution you wish to make to enhance the detail of the content, based on
your experiences with AppSense products.
Please feel welcome to send in your comments to the following email address and we will
endeavor to incorporate these into future publications:
documentation.feedback@appsense.com
Thanks in advance,
The AppSense Documentation team
1
About Application Manager
Product Overview
This document shows how to setup and use the components of AppSense Application
Manager. Application Manager provides centralized management of corporate application
control, eliminating unauthorized application usage and controlling application network access
enterprise wide. Protective measures such as blocking the execution of all unauthorized
software is provided and extensive options for creating rules to manage production application
usage.
Application Manager is part of a closely integrated system of management components and can
be centrally configured and deployed to desktops, servers and Terminal Servers throughout the
enterprise using the AppSense Management Center.
For further information see the AppSense Management Center Administration Guide.
1
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGER 2
Architecture
Architecture
This section provides details on the archictecture of Application Manager and includes the
following:
Components
Software Agent
Configuration
Components
3 Client Computer
3 Application Manager Console
3 Application Manager Agent
3 License
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGER 3
Architecture
Software Agent
Application Manager is installed and run on endpoints using a lightweight Agent. In Standalone
mode the Agent is installed directly onto the local computer. In Enterprise mode, the Agent is
stored in the AppSense Management Console.
Agents are constructed as Windows Installer MSI packages which allows them to be distributed
using any third-party deployment system which supports the MSI format.
Since the Agents are installed and stored locally they continue to operate when endpoints such
as notebooks and Tablet PCs are disconnected or offline.
For further information about deploying AppSense software, refer to the AppSense
Management Center Administration Guide.
Configuration
Application Manager Configuration files contain the rule settings for securing your system. The
Agent checks the configuration rules to determine the action to take when intercepting file
execution requests.
Configurations are stored locally in the All Users profile and are protected by NTFS security. In
standalone mode, configuration changes are written directly to the registry from the
Application Manager Console. In centralized management mode, configurations are stored in
the AppSense Management Center database, and distributed in MSI format using the
AppSense Management Console.
Configurations can also be exported and imported to and from MSI file format using the
Application Manager Console which is useful for creating templates or distributing
configurations using third party deployment systems.
After creating or modifying a configuration you must save the configuration with the latest
settings to ensure that they are implemented.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGER 4
The Console
The Console
The Application Manager Console launches when the link is selected in the Start > All
Programs > AppSense menu.
Application Menu
The Application Menu provides options for managing configurations including create new,
open existing, save, import and export configurations and Print.
The Preferences option allows you to modify the console skin and select whether to display the
introductory splash screen.
Option Description
Save As Saves the configuration with a new name to one of the following locations:
Live configuration on this computer
Configuration in the Management Center
Configuration file on a local or network drive: Application Manager Package Files format
(aamp).
Note A live configuration is located on a computer which has a Application Manager Agent
installed and running.
Warning If using Microsoft Vista operating system with UAC enabled you must ensure that
you open the console with Administrator privileges.
Import & Export Imports a configuration from MSI format, usually legacy configurations which have been
exported and saved from legacy consoles.
Exports a configuration to MSI format.
Option Description
Save
Saves changes to the configuration. The configuration will remain locked if opened from the
Appsense Management Center.
Undo
Clears the action history. Up to 20 previous actions are listed. Select the point at which you want to
clear the actions. The action selected and all proceeding actions are undone.
Redo
Re-applies the cleared action history. Up to 20 cleared actions are listed. Select the point at which you
want to redo the actions. The action selected and all subsequent actions are redone.
Back
Navigates back through the views visited in this session.
Forward
Navigate forward through the views visited this session.
Ribbon Pages
Ribbon Pages include buttons for performing common actions arranged in ribbon groups
according to the area of the Console to which the actions relate. For example, the Home ribbon
page includes all common tasks, such as Cut, Paste and Copy, Help, AppSense website and
Support links.
Split ribbon buttons contain multiple options and are indicated by an arrow just below the
button. Click the arrow to display and select the list of options, or simply click the button for the
default action.
Help
The Home ribbon page includes a Help button which launches the Help for the product and
displays the topic relating to the current area of the console in view. A smaller icon for
launching the Help displays at the far right of the console, level with the ribbon page tabs, for
convenience when the Home ribbon page is not in view. You can also click F1 to launch the
Help topic for the current view.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGER 7
Key Benefits
Navigation Pane
The Navigation Pane consists of the navigation tree and navigation buttons. The navigation
tree is the area for managing nodes of the configuration. The navigation buttons allow you to
view the different areas of the console.
Work Area
The Work Area provides the main area for managing the settings of the configuration and
product. The contents of the work area vary according to the selected nodes in the navigation
tree and the selected navigation buttons. Sometimes the work area is split into two panes. For
example, one pane can provide a summary of the settings in the other pane.
Key Benefits
This section provides key benefits of using AppSense Application Manager, they are as follows:
Protects against malicious code.
Controls role based application usage.
Protects out of the box against all unauthorized application usage.
Stops unauthorized device license usage.
Applys time restrictions on when applications can or cannot be run.
Controls network access from within applications.
Controls network access based on location.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGER 8
Feature Summary
Feature Summary
Application Manager provides the following key features for application control:
Trusted Ownership
By default, only application files owned by an Administrator or the local System are allowed to
execute. Trusted Ownership is determined by reading the NTFS permissions of each file which
attempts to run. Application Manager automatically blocks any file where ownership cannot be
established, such as files located on non-NTFS drives, removable storage devices, or network
locations. These files can optionally be allowed to run either by specifying them as Accessible
Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured
to suit each environment.
Scripted Rules
Scripted Rules allow administrators to apply Accessible Items, Prohibited Items and Trusted
Vendors to users based on the outcome of a VBScript. The VBScript can be run for each
individual user session or run once per computer.
Trusted Vendors
Allow authentic applications to run which have digital certificates signed by trusted sources, and
which are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted Vendor
certificates for each User, Group, Device, Custom and Scripted Rule of the configuration.
Trusted Applications
Allow authorized applications to run files which are normally prohibited. Authorized
applications are designated as Trusted Applications (parent processes) which are assigned
specific prohibited files as Trusted Content (child processes). Trusted Content is allowed to run
only as the child process of a Trusted Application parent process.
Add certain files and file types as Trusted Content. Extend this trust to folders and drives to
allow files in these locations to run as Trusted Content of the Trusted Applications.
Digital Signatures
SHA-1 signature checks may be applied to any number of application control rules, providing
enhanced security where NTFS permissions are weak or non-existent, or for applications on
non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of
large digital signature lists.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGER 9
Feature Summary
EndPoint Analysis
Allows an Administrator to browse to any endpoint and retrieve a list of applications that have
been installed on that endpoint. Search for any executable files and add them to the
configuration.
Application Manager records which applications are started and by whom. The recording of
data is started and stopped by the administrator.
End Point Analysis is on demand and inactive by default.
Auditing
Events are raised by Application Manager according to the default Event Filtering configuration
and audited directly to a local file log or the Windows Event Log. Alternatively, events can be
forwarded for auditing to the AppSense Management Center via the Client Communications
Agent (CCA). The Application Manager audit event reports available in the Management Center
can also be used to provide details of current application usage across the enterprise. For more
information, see the AppSense Management Center Administrator Guide and Help.
This section provides details on Application Manager Configurations and includes the following:
Default Settings
Configuration
Configuration Properties
Save a Configuration
Import a Configuration
Export a Configuration
Tasks
Default Settings
On installation Application Manager has a configuration loaded with the following default
settings:
Group Rules
BUILTIN\Administrators - Unrestricted
Everyone - Restricted
Trusted Owners Group
Administrators Group
System Account
Trusted Installer
Computer Administrator
Default Restrictions
Make local drives accessible by default
Ignore restrictions during logon
Allow cmd.exe for batch files
Extract self-extracting ZIP files
Validate MSI packages
10
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONS 11
Configuration
Configuration
The Application Manager configuration is installed on managed devices and serves as a policy
checklist for the Application Manager Agent to assess how to handle file execution requests.
When a file is executed, Application Manager intercepts the request and performs a check with
the configuration to find a matching rule that indicates the appropriate action to take.
Other default policies specified in a configuration are also applied, for example, event filtering
or handling for specific file extension types as well as general policies such as default rules,
auditing rules and how message notifications are displayed.
This section includes:
Configuration Elements
Rule Matching
Configuration Elements
The Application Manager console provides configuration settings in the following key areas:
Rules
Library
Rules
Rule nodes provide default settings for handling file executions and specific settings which apply
to particular users, groups or devices:
For example, a highly restricted user might be prohibited under normal rule conditions from
introducing executable files on the system but may be required to download and run
software updates from a particular source, from time to time. If the downloaded file
includes a digital certificate which matches a certificate in the Trusted Vendors list, the file is
allowed to run.
Library
Library nodes provide the following:
Rule Matching
Rule matching takes place when Application Manager intercepts a file execution request and
checks the configuration policy to determine whether a file is allowed to run.
Matching is based on a three stage approach which considers security, matching order and
policy decisions:
1. Security:
Is the user restricted?
Is ownership of the executable item trusted?
Where is the executable located?
2. Matching:
Does the executable match a signature?
Does the executable match an Accessible or Prohibited item?
3. Policy:
Is Trusted Ownership checking enabled?
Is there a timed exception?
Is there an Application Limit?
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONS 14
Configuration
Trusted Vendors
Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership
checking and Trusted Application checking.
Application Manager queries each file execution to detect the presence of a Digital Certificate.
If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendor list,
the file is allowed to run, and overrides any Trusted Ownership check.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONS 15
Configuration
Configuration Properties
This section details the Configuration Properties and includes the following:
Message Settings
Archiving
Message Settings
Use the Message Settings options in General Features ribbon page > Configuration
Properties ribbon group to configure settings for messages issued to users. You can set up
messages for situations where access is denied, application limits have been exceeded and for
self authorization. Time limits for application behaviour can be specified with warning and
denied messages.
Reference
Access Denied
Displays when the user is denied access to an unauthorized application.
Message
%USERNAME% is not authorized to execute %Executablename%.
Message
%USERNAME% has exceeded the application limit for %ExecutableName%.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONS 16
Configuration
Time Limits
The Warning Message displays when the user is denied access to an application that has a
Timed Exception applied that is not valid at the requested time.
The Denied Message displays when an application has a Timed Exception applied that has now
expired and the application is still running.
Close application
Select to send a close message to the application. When most applications receive a close
message they automatically give the user a chance to save their work.
Terminate application
Select to terminate the application. Typically this is used after the application has been sent a
close message but has failed to terminate.
Wait
Specify the number of seconds to wait between each of the selected termination options. For
example, if the user selects all three of the termination options and then selects 20 seconds, the
warning message will be displayed, followed 20 seconds later by the close message and finally
the application terminates after a further 20 seconds.
Warning Message
Displays when the user is denied access to an application that has a Timed Exception applied
and that is not valid at the requested time.
Message
%USERNAME% is no longer permitted to run %ExecutableName%. Please save all work and
shut down this application immediately
Denied Message
An application has a Time Limit applied that has now expired and the application is still running.
Message
%USERNAME% is not permitted to run %ExecutableName% at this time.
Self-Authorization
The Message displays when a self-authorizing user attempts to run a prohibited application and
the file requires a user decision to run.
The Response displays when a self-authorizing user allows a DLL file that another application
uses and the application may need to be restarted.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONS 17
Configuration
Message
%ExecutableName% cannot run without your authorization. This action may be logged.
Response
%ExecutableName% is now authorized. Applications using this file may need to be restarted.
Archiving
Archiving is an optional function allows you to copy any denied executables into a secure folder.
Reference
Use archiving
Select to switch on the archiving function.
Global Properties
Total Limit
The maximum size in MB that the archive is allowed to reach before archiving stops. If When a
user’s archive is full allow the oldest files to be overwritten is selected, files are
overwritten.
User Limit
The maximum size in MB that a single user archive is allowed to reach before files are
overwritten. For example, if an archive path is specified as C:\archive\%username%, every user
on the system has a separate archive under the C:\archive directory. It is this user archive that is
subject to the user limit. The User Limit should not exceed the Total Limit.
File Options
Folders
Archive Folder
The list of folder paths to which archive files are copied.
Archiving attempts to write to the first listed folder, if unsuccessful an attempt is made to
archive to the next folder, if there is one in the list. This process continues until the folder list is
empty or the archive action succeeds.
Browse
Browse to the location where you want the archive to exist.
Add
Add an archive location to the list. The archive may contain environment variables. For example,
%SYSTEMDRIVE%\Archive\%USERNAME% is expanded when Application Manager attempts
to archive the file. Each user has a personal archive.
Move Up
Moves the selected archive up the list of available archives. The order of the archive list is
important as Application Manager attempts to copy the file to the first archive in the list. If this
copy fails, Application Manager continues to make attempts to copy the file to the next archive
location until it is successful.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONS 19
Save a Configuration
Move Down
Moves the selected archive down the list of available archives. The order of the archive list is
important as Application Manager attempts to copy the file to the first archive in the list. If this
copy fails, Application Manager continues to make attempts to copy the file to the next archive
location until it is successful.
Save a Configuration
When changes are made to a configuration you have the following options:
Save - to save and continue editing.
Save and Unlock this configuration – the configuration is saved and unlocked and can
now be edited by other users.
Unlock only, do not save – reverts the configuration to the original state and unlocks
the configuration for editing by other users.
Save As
Live configuration on this computer
To replace/update the configuration on the local computer with the currently open
configuration.
Configuration in Management Center
To save the configuration in the package store on the selected Management Server.
Configuration file on local or network drive
To Save the configuration to a file on a local or network drive.
Import a Configuration
Configurations can be imported in to Application Manager.
1. Click the Application Menu button.
2. Click Import & Export. The Import & Export Options display.
3. Click Import Configuration from MSI. The Open dialog box displays.
4. Navigate to the location of the MSI, select it and click Open.
Export a Configuration
Configurations can be exported from Application Manager.
1. Click the Application Menu button.
2. Click Import & Export. The Import & Export Options display.
3. Click Export Configuration as MSI. The Save As dialog box displays.
4. Navigate to the location to where you want to save the MSI, click Save.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONS 20
Tasks
Tasks
This section includes the following tasks:
 CREATE A CONFIGURATION
1. Launch the Application Manager console from the Start menu.
2. Click the Application Menu button.
3. Click New.
A new configuration displays and automatically provides the following protection by
default:
Applications not stored on local hard drives are prohibited. For example, applications
on network drives and removable media are prohibited.
Applications that are not owned by the administrator are prohibited. For example, any
applications copied onto the computers hard drives by a non-administrator are
prohibited.
All administrators can run any applications.
You must save a new configuration before the default settings are implemented.
 TEST A CONFIGURATION
You must have a test user set up before proceeding with this task.
9. Click OK.
The User rule work area displays the newly created test user.
The test account should not be one of the Trusted Owners in the configuration.
This section provides details on the general features of Application Manager and includes the
following:
Trusted Owners
Trusted Applications
Extension Filtering
Options
Tasks
Trusted Owners
During the rule matching process, Trusted Ownership checking is performed on files, folders
and drives to ensure that ownership of the items is matched with the list of trusted owners
specified in the default rule configuration.
For example, if a match is made between the file you want to run and an accessible item, an
additional security check ensures that the file ownership is also matched with the Trusted
Owners list. If a genuine file has been tampered with or a file which is a security threat has been
renamed to resemble an accessible file, trusted ownership checking identifies the irregularity
and prevents the file execution.
Trusted ownership checking is not necessary for items with digital signatures as these cannot be
imitated.
The list of Trusted Owners is maintained in the General Features ribbon page > Default
Restrictions group > Trusted Owners . Application Manager trusts all local administrators
and SYSTEM owned applications by default and you can extend this list to include other users or
groups. You can also designate certain Trusted Applications, such as antivirus applications, to
be permitted to execute files which would otherwise be prohibited from running.
When using Application Manager for the first time, we recommend you use the default
settings. To avoid complex customizations do not extend the Trusted Owners list or change
any default settings.
22
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURES 23
Trusted Owners
 WHITE LISTS
If you prefer to use a white list approach where nothing is allowed to run by default, clear the
Make local drives accessible by default check box in the General Features ribbon page >
Default Restrictions group > Options. To make items accessible add them to the Accessible
Items folder of a configuration node.
If you use a White List approach, ensure that you allow important system files to run, by
adding a Group Rule for the Everyone group in which all of the relevant files or folders have
been added to Accessible Items. Otherwise, many crucial executable files and DLLs such as
those which are stored in the system32 directory can be prevented from running and
adversely affect correct system functioning.
Reference
Properties
Trusted Owners
Textual SID
The Textual Security Identifier of the Trusted Owner. For example, S-1-5-32-544.
Trusted Applications
Trusted Applications are files which are authorized by Application Manager configuration rules
and are permitted to execute specified files which are normally prohbited.
Once an application is designated as a Trusted Application, you can add, as Trusted Content,
those files and file types which are normally prohibited, and run them as child processes of the
specified Trusted Applications. You can also add folders and drives as Trusted Content to allow
Trusted Applications to run prohibited files in those locations.
Trusted Application matching takes place when a file is prohibited by a rule or fails Trusted
Ownership checking. Application Manager checks the process tree of the prohibited file for a
running parent application which is an authorized application and matches a Trusted
Application. If a match is found, the file is allowed to run.
Reference
Options
Add File
Launches the File Selection dialog box. Enter or Browse to select the file you want to add.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
All child processes of the selected trusted application which are normally prohibited, are
trusted when launched by this application.
Add Signature
Launches the File Selection dialog box. Enter or Browse to select the file you want to add.
The digital signature of the selected application is added to the list under the Signatures
heading.
Add File
Launches the File Selection dialog box. Enter or Browse to select the file you want to add. This
file will be allowed to run as a child process of the selected trusted application.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
Add Folder
Launches the Folder Selection dialog box. Enter or Browse to select the folder you want to
add. This allows application files in this folder to be allowed to run as child processes of the
selected trusted application.
Includes Recurse subdirectories option, which is selected by default. This option indicates
whether the subdirectories of the folder are included.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
Add Drive
Launches the Add Drive dialog box. Enter a drive letter to allow application files in this location
ro run as child processes of the selected trusted application.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURES 26
Extension Filtering
Extension Filtering
Apply Application Manager rules to specific file extensions.
Reference
Properties
Extensions
A list of file extensions to filter. You can Add to and Delete from the list.
Options
The Options in the General Features ribbon tab > Default Restrictions group provide
general Application Manager settings to apply to all application and process execution requests.
The Options are divided in to two sections:
General Features - all options are selected by default.
Validation - all options are selected by default with the exception of Validate System
processes.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURES 27
Tasks
Tasks
This section includes the following tasks:
You can verify the ownership of a file by viewing the Properties using Windows Explorer.
Copying the files to the hard disk does not bypass the security as the files are prohibited by
the Trusted Ownership rule.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURES 28
Tasks
Copying the files to the local hard disk does not bypass the security as the files are prohibited
by the Trusted Ownership rule.
4
Rules
This section provides details on Rules in Application Manager and includes the following:
Manage Rules
Security Level
Tasks
Manage Rules
Rule nodes allow you to create rules targeting specific users, groups and devices and assign
security level policies, resource access and resource restrictions which apply to the users, groups
and devices matching the rules.
Rule nodes provide Security Level settings for specifying the levels of restrictions to execute files.
Rule nodes also provide a further layer of granularity for controlling application use with
Accessible Items, Prohibited Items and Trusted Vendors for specifying lists of files, folders, drives
and signature groups which are allowed or prevented from running.
To display all Rules in the configuration click on Rules in the navigation tree. A summary
displays with all rules listed under the rule type. The security level assigned to each rule is seen
and can also be amended.
Select to add a rule to one of the following:
Group - Launches the Add Group Rule dialog box. Enter or Browse to select an Account.
User - Launches the Add User Rule dialog box. Enter or Browse to select an Account.
Device
Custom
Scripted
To remove a rule, select a rule and click Remove Rule. A confirmation message displays, click
Yes to confirm the removal.
29
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 30
Manage Rules
Group Rules
The Group rules node allows you to match security control rules with specific user groups
within the enterprise.
The Group summary displays the group name, Textual Security Identifier (SID) and Security Level
of the rule.
To add a group rule click Add Rule in the Rules ribbon page > Manage group. The Add
Group Rule dialog box displays. Enter or Browse to select an Account.
To remove a group rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each group rule node, see the Rule Items chapter for more details.
User Rules
The User rules node allows you to match security control rules with specific users within the
enterprise.
The User summary displays the User, Textual Security Identifier (SID) and Security Level of the
rule.
To add a user rule click Add Rule in the Rules ribbon page > Manage group. The Add User
Rule dialog box displays. Enter or Browse to select an Account.
To remove a user rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each user rule node, see the Rule Items chapter for more details.
Device Rules
The Device rules node allows you to match security control rules with specific devices within
the enterprise. Device rules can apply the rule settings either to the device hosting the
Application Manager agent and configuration or to devices connecting through terminal
services to the host.
For example, a configuration rule can allow certain applications to run on a server but prohibit
the application from running when launched by users operating from specific devices listed in
the rule as connecting devices to the host server.
The Device summary displays the Rule Name and the Security Level.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 31
Manage Rules
To add a device rule click Add Rule in the Rules ribbon page > Manage group.
To remove a device rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each device rule node, see the Rule Items chapter for more details.
Reference
Devices
Hostname/IP Address
Devices are added to a rule by hostname or IP address.
When entering an IP address under a Device the following formats are valid:
The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1
The address can replace zero or more of the sections with a wildcard or a range.
A wildcard is an asterisk (*) character and must be the only character in the section. For example,
127.*.0.1.
An address range is denoted by two numbers separated by an asterisk (*) character. The numbers
must be in the range 0-255. The first number must be lower than the second number. For example,
127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.
Custom Rules
The Custom rule node allows you to match security control settings with combinations of
specific users or groups and devices within the enterprise. The rule can apply settings to devices
hosting the Application Manager agent and configuration or to devices connecting through
terminal services to the host.
For example, a rule that targets computer IP address 192.168.0.2 as a connecting device and
domain\user, allows you to apply security controls when the specific user logs on from the
specified device through terminal services to the computer hosting the Application Manager
agent and configuration.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 32
Manage Rules
The Custom summary displays the Rule Name, User/Group Name and the Security Level.
To add a custom rule click Add Rule in the Rules ribbon page > Manage group.
To remove a custom rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each custom rule node. See the Rule Items chapter for more details.
Reference
Devices
Hostname/IP Address
Devices are added to a rule by hostname or IP address.
When entering an IP address under a Custom rule the following formats are valid:
The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1
The address can replace zero or more of the sections with a wildcard or a range.
A wildcard is an asterisk (*) character and must be the only character in the section. For example,
127.*.0.1.
An address range is denoted by two numbers separated by an asterisk (*) character. The numbers
must be in the range 0-255. The first number must be lower than the second number. For example,
127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.
Scripted Rules
The Scripted rules node allows you to create rules based on custom VB Scripts which run
whenever a user logs on. The success or failure of a VB Script determines whethere the Security
Level settings, Accessible Items and Prohibited Items, which are part of the rule, apply to the
user.
Scripted rules can take advantage of any interface accessible via VB Script, such as COM and
WMI, and allow the administrator to define Application Manager policy based on any
computer, user, registry, file or system property. Scripted rules also allow intergration with the
other third party solutions, such as Microsoft Active Directory and Citrix advanced Access.
Scripted rules can run for each new session in the context of the user or in the context of the
SYSTEM. Alternatively, Scripted Rules can run once per computer and the result is applied to all
user sessions.
Scripted rules are re-evaluated when a new configuration is deployed to the computer.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 33
Manage Rules
Scripts run when the Application Manager Agent starts up or when the configuration changes.
For more information about creating and using scripts, see Working with Scripted Rules in the
Appendixes.
The Scripted summary displays the Rule Name, Entry Function, Run Script - frequency and by
whom and the Security Level.
Rules ribbon page > Manage group provides you with the following options to manage
Scripted rules:
Add Rule - see Add a Scriptable Rule on page 36 in the Tasks section.
Remove Rule - select a rule and click Remove Rule, a confirmation message displays, click
Yes to confirm the removal.
Edit Script - displays the Scripted Rule dialog box > Script tab.
Script Options - displays the Scripted Rule dialog box > Options tab.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each scripted rule node, see the Rule Items chapter for more details.
Reference
Entry Function
The main function which is called when the script runs and evaluates the outcome of the rule.
Export
Launches the Save As dialog box which allows you to save the script in VBS format.
Import
Launches the Open dialog box which allows you to open an existing VB Script from another
location.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 34
Manage Rules
Execution
Select one of the following:
Run script once per logon session as the logged on user.
The script runs for each user logging on. Settings are only applied for the duration of the
user session.
Run script once per logon session as the SYSTEM user.
The script runs with SYSTEM account permissions once for each user logging on. Settings
are only applied for the duration of the user session.
Run script once per computer as the SYSTEM user.
The script runs with SYSTEM account permissions once at computer startup. Settings are
applied to all user sessions until the computer restarts, the Application Manager agent
restarts or there is a configuration change.
Running scripts as the SYSTEM user can cause serious damage to your computer and should
only be enabled by experienced script authors.
Security Level
Apply security levels to control whether the user, group and devices specified in a rule are fully
restricted by Application Manager rules, unrestricted, audited only or granted self-authorization
status entitling the user decide whether to run an application. Self-authorized users can be
audited by raising events in the Auditing component and the Windows Event Log.
To set the Security Level, select the required node and do one of the following:
Click and drag the slider to the required level, in the rule node work area in the Security
Level section.
Click the ribbon button for the required level in the Rules ribbon page > Security Level
group.
 RESTRICTED
Select to restrict users, groups, and devices in the rule to run only authorized applications. These
include files owned by members of the Trusted Owners list and files listed in the Accessible
Items node.
 SELF-AUTHORIZE
Select to prompt users, groups and devices in the rule to decide whether to allow execute
requests for each unauthorized file. Unauthorized files either do not belong to the Trusted
Owners list or are not specified in the Accessible Items list of a given rule.
A Self-authorizing user prompt includes the following options:
Remember my decision for this session only - The authorization decision is upheld only
for the current session. The user is prompted again for an authroization decision when
attempting to run an application in any future sessions.
Remember my decisions permanently - The user decision is upheld for all future
sessions.
If neither of these options are selected, the decision is upheld only for the current
instance the user is attempting to run. The Self-authorization prompt is reissued for any
future attempts to run instances of the application.
When a DLL file is allowed to run, a message notifies the user that the application which
uses the DLL may need to be restarted. The default message which displays can be
modified in the General Features ribbon page > Configuration Properties group >
Message Settings.
 AUDIT ONLY
Select to permit all actions but log and audit events for monitoring purposes, according to the
policy settings in Auditing.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 36
Tasks
 UNRESTRICTED
Select to permit all actions without even logging or auditing.
Tasks
The following are common tasks that are performed for Application Manager Rules:
 TESTING SELF-AUTHORIZATION
1. Create a rule in the User Rules node which applies to a test user account that is not a
member of a group which belongs to the Trusted Owners list. For more details see Test a
Configuration.
2. Set the security control level to Self-Authorizing to allow the test user to self-authroize
applications to run.
3. Save the configuration.
4. Run the Registry Editor.
The application is prohibited and a message box displays with a prompt for a decision to
allow the file to run and informing that the action will be logged.
For script examples see Working with Scripted Rules in the Appendixes.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 37
Tasks
Step 1
Create a Signature Group for Office applications.
1. Navigate to Signature Group Management in the navigation tree.
2. Select Add Group in the Signature Groups ribbon page > Manage group.
A new Group node is added under the Signature Group Management node on the
navigation tree.
3. Highlight the Group, right-click to display the context menu, select Rename and enter a
name, for example Office Applications.
4. Select Launch Signature Wizard in the Signature Groups ribbon page > Items group.
The Application Manager Signature Wizard displays.
5. Click Next to display the Search Method screen.
6. Select Search folders. Click Next.
The Searching folders screen displays.
7. Enter the Office folder location. Alternatively, select the ellipsis (...) to display the Browse
For Folder dialog box to locate the folder.
8. Select Include subfolders and click Next.
9. Review the list of files and click Next.
10. The signatures are generated, once complete, click Next.
11. Click Finish to exit the wizard.
The Signatures are listed in the Group Items in the Signature Group Management work area.
Step 2
Setup a Device Rule to prohibit connecting devices.
1. Navigate to the Device node in the navigation tree.
2. Select Add Rule in the Rules ribbon page > Manage group.
A new Rule is created in the All Device Rules work area.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 38
Tasks
7. Click OK.
The selected machines are listed in Devices on the Device Rule work area.
8. Select Connecting Device as the Device Type.
9. Select Prohibited Items for the new Device Rule in the navigation tree.
10. Select Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
11. Select Prohibited > Signature Group.
The Select Signature Group dialog box displays.
12. Select the previously created Office Application Signature Group and click OK.
The Signature Group is added to the Prohibited Items.
Step 3
Add devices that are allowed to run Office applications on the Terminal Server.
1. Navigate to the Device node in the navigation tree.
2. Select Add Rule in the Rules ribbon page > Manage group.
A new Rule is created in the All Device Rules work area.
3. Click on the Rule and enter a name.
4. Select the new Rule.
The Device Rule work area displays.
5. Select Add Client Device.
The Client Device Selection dialog box displays.
6. Enter the machines for which you want to allow access. Alternatively, select Browse to
perform an Active Directory search for the required machines.
7. Click OK.
The selected machines are listed in Devices on the Device Rule work area.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULES 39
Tasks
This section provides details on Rule Items and includes the following:
Accessible Items
Prohibited Items
Trusted Vendors
Tasks
Accessible Items
Accessible Item nodes are sub-nodes automatically created in any Rule node when you create a
new rule. They allow you to add Items to which the groups, users and devices specified in the
rule are granted access.
Items you can add are as follows:
Files
Folders
If you add a network file or folder path you must use the UNC name, as the Application
Manager Agent ignores any paths that are configured where the Drive letter is not a local
fixed disk. The user can access the network application through a network mapped drive
letter as the path is converted to UNC format before validating it against the
configuration settings.
40
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMS 41
Accessible Items
Drives
Signature Items
Signature Groups
Network Connections
Network Connection Groups
To add an Item select the Accessible Items node and click the Add Item ribbon button on the
Rule Items ribbon page > Accessible & Prohibited Items group, select Accessible, then
select the type of accessible item you want to add.
To remove an Item select the Item you want to remove in the Accessible Items node, click the
Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items
group.
When using the default option, which trusts all locally installed Trusted Owner applications, you
only need to add any applications that run directly from network locations including mapped
network shares and DFS shares.
Application Manager includes support for adding items on Citrix client mapped drives. You can
add items by specifying paths using the following format: \\client\C$\<item name>.
We recommend you use signatures instead of file paths on client mapped drives as this offers
high security.
Application Manager drag and drop functionality can be used to add files, folders, drives and
signature groups from Windows Explorer or copy or move items between Accessible Items or
Prohibited Items nodes in each of the main configuration nodes.
If you have changed the default options to use a white list approach, you should also add any
locally installed applications that you want users to run.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMS 42
Prohibited Items
Access Times
You can apply specific access times to Accessible Items.
Select an Accessible Item in the Accessible Items work area and click the Access Limits ribbon
button. The Access Times dialog box dsiplays.
Application Limits
The number of instances of an application that are permitted to run can be set using the
Application Limits. This feature can be enabled or disabled.
Prohibited Items
Prohibited Item nodes are sub-nodes automatically created in any Rule node when you create a
new rule. They allow you to add Items to which the groups, users and devices specified in the
rule are refused access.
Items you can add are as follows:
Files
Folders
If you add a network file or folder path you must use the UNC name, as the Application
Manager Agent ignores any paths that are configured where the Drive letter is not a local
fixed disk. The user can access the network application through a network mapped drive
letter as the path is converted to UNC format before validating it against the
configuration settings.
Drives
Signature Items
Signature Groups
Network Connections
Network Connection Groups
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMS 43
Trusted Vendors
To add an Item select the Prohibited Items node and click the Add Item ribbon button on the
Rule Items ribbon page > Accessible & Prohibited Items group, select Prohibited, then
select the type of prohibited item you want to add.
To remove an Item select the Item you want to remove in the Prohibited Items node, click the
Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items
group.
If you are using the default option, which trusts all locally installed Trusted Owner applications,
you only need to add specific applications that you do not want users to run. For instance, you
may add administrative tools, such as management and registry editing tools.
You do not need to use this list to prohibit applications that are not owned by an administrator,
as they are blocked by trusted ownership checking.
Application Manager drag and drop functionality can be used to add files, folders, drives and
signature groups from Windows Explorer or copy or move items between the Accessible Items
node and Prohibited Items nodes in each of the main configuration nodes.
Trusted Vendors
The Trusted Vendors sub-node is available in each Application Manager rule node, for listing
valid digital certificates. Files which fail Trusted Ownership checking but contain digital
certificates, signed by trusted sources that match digital certificates listed in Trusted Vendors,
are allowed to run.
Select the Add ribbon button in the Rule Items ribbon page > Trusted Vendors group to add
digital certificates from files, select from file-based certificate stores or import file-based
certificate stores into the Trusted Vendors node.
Advanced options allow you specify parameters for validating a certificate by ignoring or
allowing specific attributes, the certificate must be valid for the rule to be applicable, but there
are different levels of validation with which you can configure a certificate. A test option helps
to validate the certificate based on the options you have selected and, where relevant,
dependent on connectivity with the appropriate Certification Authority.
Changing the settings in Advanced Options in the Rule Items ribbon page > Trusted
Vendors group could reduce the level of security required to validate a certificate and present
a security risk.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMS 44
Tasks
Tasks
This section includes the following tasks:
You can check whether a file has a digital certificate by displaying the Properties dialog
box. A file has a digital certificate if there is a Digital Signatures tab in which you can
view details of the certificate including, signer information, advanced settings and an
option to display the certificate.
This section provides details on Signature Group Management and includes the following:
Manage
Items
Tasks
Manage
The Signature Group Management node allows you to create groups of application types which
you can populate with digitally signed applications. Using the Wizard or a manual approach,
you can scan directories and folders for installed applications and apply digital signatures. You
can also examine a running process and locate all the executable files used by that process and
then apply digital signatures to those files. Files are added to groups which you can later add to
the accessible and prohibited files of User and Group rules
To add a Signature Group click Add Group in the Signature Groups ribbon page > Manage
group.
To remove a Signature Group, select a Group in the Signature Group Management work area
and click Remove Group in the Signature Groups ribbon page > Manage group. A
confirmation message displays, click Yes to confirm the removal.
Once a Signature Group has Items you can conduct a full group re-scan to ensure all signatures
are still accurate, select the Rescan Group ribbon button.
46
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 6 SIGNATURE GROUP MANAGEMENT 47
Items
Reference
Groups
The user defined name for a group of digitally signed files. For example, Windows XP SP2
Signatures, or, Microsoft Office Signatures.
Items
Signature groups can be populated with digitally signed application files, known as Group
Items.
To add a Group Item, select the Group to which you want to add items in the Signature Group
Management work area and do one of the following:
 ADD ITEM
You can manually locate executable files and applications to digitally sign and add to a group.
To do this follow the following instructions:
1. Click the Add Item ribbon button in the Signature Groups ribbon page > Items group.
The Open dialog box displays.
2. Navigate to the file you want to add as a Group Item.
3. Click Open.
A digital signature is added to the file and the file is added to the Group Items in the
Signature Group Management work area.
If you want to examine a specific process, make sure the relevant application is running
before launching the Signature Wizard.
To remove a Group Item, select an Item in the Signature Group Management work area and
click Remove Item in the Signature Groups ribbon page > Items group. A confirmation
message displays, click Yes to confirm the removal.
You can re-scan the group items at any time to make sure the signature is still accurate and has
not changed, select a Group Item in the Signature Group Management work area and click the
Rescan Signature ribbon button in the Signature Groups ribbon page > Items group.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 6 SIGNATURE GROUP MANAGEMENT 48
Tasks
Reference
Tasks
This section includes the following tasks:
If you wish to examine a specific process, make sure you have launched the relevant
application before proceeding.
This section provides details on Application Network Access Control and includes the following:
About Application Network Access Control
Network Connection Items
Network Connection Group Management
Tasks
51
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROL 52
Network Connection Items
Application Network Access Control best practices can be found in the Best Practices chapter
in the Application Network Access Control section.
For details on working with AppSense Application Manager and Streamed Applications refer
to the Streamed Applications appendix.
For further information refer to Add a Network Connection Item directly to a Rule in the
Tasks section.
For further information refer to the Group Items section in Network Connection Group
Management.
Network Connection Items can be cut, copied or dragged and dropped between rules. There
are no default Network Connection Items in a configuration.
The full path of the Network Connection Item cannot exceed 400 characters.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROL 53
Network Connection Group Management
Groups
Network Connection Groups can be created to group multiple generic Network Connection
Items. Managed centrally, they can be named and re-named easily. The Groups can then be
applied to any Rule.
If the Group Name is amended, it automatically updates in any Rule where the Group is
applied.
Group Items
Network Connection Group Items can be created and added to any Group. Select any existing
Group to display the list of Group Items.
The options available for Group Items are as follows:
Add Item - Displays the Network Connection Details dialog box.
Multiple entries for the same resource name are not allowed in any one list.
Edit Network Connection - Displays the Network Connection Details dialog box for the
selected item. Make the required amendments. Click OK to save and close the dialog box.
Remove Item - Remove a selected item. A confirmation message box displays, click Yes to
confirm removal.
Reference
Connection Type
Select one of the following connection types:
 IP ADDRESS
Select to control access to a specific IP Address.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROL 54
Network Connection Group Management
 NETWORK SHARE
Select to control access to UNC paths. The prefix \\ is added to the Host field.
 HOST NAME
Select to control access to a specific Host Name.
Connection Options
The combined number of characters for all three fields, Host, Port and Path must not exceed
400.
Host
The IP Address or Host Name for the network connection. This depends on the type of
connection selected. The wildcards ? and * can be used. Additionally, ranges can be used for IP
Addresses, which are indicated by use of a hyphen (-).
An IP Address must be in IP4 octal format. For example, n.n.n.n
If Network Share is selected as the connection type, the \\ prefix is required.
The full path for the target resource can be entered in Host.
Example:
Enter http://server1.company.local:80/resource1/ in Host.
Move focus away from Host and the path is automatically split into the separate connectionm
options:
http:// is removed from the Host field and server1.company.local remains.
: is removed and 80 is moved to Port.
/resource1/ is moved to Path.
This allows a full path to be copied and pasted with ease.
Port
The port number of the network connection. This can be used in combination with IP Address
or Host Name to control access to a specific port. Ranges and comma separated values are
allowed as a part of the port number.
Click Common Ports to display a list of commonly used ports. Select as many ports as
required.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROL 55
Tasks
Path
The path of the network connection. The wildcards ? and * can be used. To use wildcards in the
Path, Text contains wildcard characters must be selected.
The Path is only relevant for controlling HTTP and FTP connections.
Include subdirectories
Only applicable if the connection type Network Share is selected. Select to include
subdirectories in the rules processing.
Description
Enter a meaningful description to describe the network connection.
Tasks
The following are common tasks that are performed in Application Network Access Control:
This section provides details on Endpoint Analysis and includes the following:
About Endpoint Analysis
Endpoint Management
Installed Applications
Application Usage Scans
Application Data
Data Files
Tasks
Endpoint Scans
The first step is to add Endpoints to the configuration.
Adding an endpoint
Browse Deployment Group - Displays the Select Management Server dialog box
Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.
57
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 8 ENDPOINT ANALYSIS 58
About Endpoint Analysis
The Endpoint Analysis work area displays a list of all Endpoints added to the configuration. For
each endpoint the following are shown:
The percentage complete of the Installed Applications Scan.
Whether the Application Usage Scan is On or Off.
The endpoint data is gathered in real time and does not affect the rules processing.
Removing an Endpoint
To remove an endpoint or multiple endpoints, highlight the required endpoints under the
Endpoints node in the navigation tree and select Remove Endpoint in the Endpoint
Analysis Ribbon page > Endpoint Management group.
Data Analysis
All the collected data can be seen in either the Installed Applications or Recorded Data work
area for the selected Endpoint.
You can show any associated files which the application has loaded and also digital certificates
(if the file has been signed).
To add a certificate to any of the Trusted Vendors you can either drag and drop a file to the
Trusted Vendors node, if any certificates exist for that file they are added or you can select
Show Digital Certificates to display the Certificates dialog box and then drag and drop
from that window into the configuration.
Endpoint Management
You can add and remove endpoints from the configuration.
You can add an endpoint by one of the following methods:
Browse Deployment Group - Displays the Select Management Server dialog box
Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.
For futher information see Adding an Endpoint by Domain/Workgroup in the Tasks section.
To remove an endpoint, highlight the required endpoint and select Remove Endpoint in the
Endpoint Analysis Ribbon page > Endpoint Management group.
Installed Applications
To retrieve a list of applications that are installed on an endpoint do one of the following:
Run Endpoint Scan - Select the endpoint in the navigation tree for which to run a scan. All
installed applications display in the Installed Applications work area.
An Endpoint Status dialog box displays while the scan is completing.
You can make the Endpoint Status dialog box transparent by clicking and dragging the
Transparency slider.
For further details see Running an Endpoint Installed Applications Scan in the Tasks section.
Run Scan for all Endpoints - to scan all endpoints listed in the navigation tree. Click on an
endpoint to display the list of installed applications in the Installed Applications work area.
The Installed Applications Scan detects applications that have been installed using Windows
Installer technology.
To start recording, select the Endpoint you want to scan and click Start Application Usage
Scan on the Endpoint Analysis ribbon page > Application Usage Scans group.
Make sure that the selected endpoint is connected. In order for a connection to be made you
have to have the following installed on the target endpoint:
Application Manager Agent
Application Manager License
Access to admin share
- To test access - Open Windows Explorer, in the Address bar enter: \\<computer name>\C$ if you
can see the files the share is working.
To stop recording, select the Endpoint being scanned and click Stop Application Usage Scan
on the Endpoint Analysis ribbon page > Application Usage group.
We recommend you run the Application Usage Scan for a minimum of 5 days, or a period
over which the user would perform all their normal activities in their role, to ensure all
applications are captured.
When the recording has been stopped, the File dialog box displays. Enter a name to save the
file. The files are saved in xml format and a new node is created for each xml file in the
navigation tree under the Recorded Data node of the selected Endpoint.
For further details, see Running an Application Usage Scan in the Tasks section.
To delete any of the xml files select Delete File on the Endpoint Analysis ribbon page >
Application Usage Scans group.
Application Data
The application data can be seen in detail for both the Installed Applications Scan and the
Application Usage Scan.
You can select to display the associated loaded files or the digital certificates.
Show Loaded Files - displays the Loaded Files dialog box. Drag and Drop any of the files to
add to the configuration.
Show Digital Certificates - displays the Certificates dialog box. Drag and Drop any of the
certificates to add to any of the Trusted Vendors node in the configuration.
Data Files
You can select to Import or Export the data gathered by either the Installed Applications Scan or
the Application Usage Scan.
Import - displays the Import dialog box. Locate the xml file you want to import and click
Open.
Export - displays the Export dialog box. Navigate to the folder to export to and enter the file
name and click Save.
Tasks
The following tasks are provided to help with EndPoint Analysis:
You can increase/decrease the transparency by clicking and dragging the Transparency
slider, this allows you to see the console to continue work while the scan is taking place.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 8 ENDPOINT ANALYSIS 62
Tasks
3. Once the scan is complete the Installed Applications node under the selected Endpoint is
populated with the data, seen in the Installed Applications work area.
The work area displays the Endpoint Summary, the endpoint needs to be showing as
Connected in order to proceed with the scan.
2. Click Start Application Usage Scan in the Endpoint Analysis ribbon page >
Application Usage group.
Notice in the Endpoint Summary section in the work area, the status changes from Not
recording to Recording and the light changes from red to green.
3. To stop the recording, click Stop Application Usage Scan in the Endpoint Analysis
ribbon page > Application Usage group.
The File dialog box displays.
4. Enter a file name and click OK to save the file.
The file is saved in xml format and a new node is created with the file name under the
Recorded Data node for the selected Endpoint.
This section provides details on Application Manager Rules Analyzer and includes the following:
About Rules Analyzer
Endpoint Management
Data Acquisition
Data Files
Tasks
 FEATURE SUMMARY
The Rules Analyzer console allows you to diagnose Application Manager problems by
connecting directly to computers controlled by Application Manager, and includes:
Creating Log Files – You can create log files on computers controlled by Application
Manager.
Examining Log Files – You can retrieve and examine log files to view the requests processed
by Application Manager. In particular you can see which rules were applied to each request
and whether the request was allowed or denied.
Anonymous logging - This means that user names are not written to the log file. User
names appear as Unknown\Anonymous. Navigate to the Endpoints node in the navigation
tree and select Anonymous Logging checkbox in the work area.
63
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZER 64
About Rules Analyzer
 GETTING STARTED
The Rules Analyzer console is used to create Application Manager log files and to retrieve and
examine the log files.
A computer node allows you to control logging on a specific computer and to retrieve log files
from that computer. Below each computer node is a node for each retrieved log file.
You can view a summary page, view all requests or view the requests for a specific user. You
can restrict the view to the denied or the allowed requests. Within the analysis panel you can
navigate to a specific request and view the full details of that request, including which rules
were applied by Application Manager.
Users must be logged on with an account that allows read and write access to the registry of
any machine for which you wish to generate logs using Rules Analyzer, and read and write
access to the local registry of the machine on which the management console operates.
On remote computers running Microsoft Vista, File Sharing and the Remote Registry Service
are disabled by default and must be enabled to ensure the Rules Analyzer can create or access
log files.
Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center.
 CHECKLIST
You must have the following to use Rules Analyzer:
3 Application Manager Agent installed on endpoint.
3 License installed on endpoint.
3 Application Manager configuration installed on the endpoint.
3 Admin share rights to endpoint.
Reference
The Summary page displays when you select a log file node in the navigation tree.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZER 65
About Rules Analyzer
It shows the number of requests processed by Application Manager. The top row of the table
shows the total number of requests for all users. The remaining rows show the number of
requests for each user. The Total column shows the total number of requests, allowed and
denied. The Allowed/Denied column shows the number of allowed or denied requests.
Click on any Total link to display the Log File Contents Request List.
To export the log file in XML format select the Export ribbon button.
You can select View the requests by processing time on the Summary page to display a
Request List page showing requests sorted with the longest running request first.
Use the Return link at the top of the page to navigate to the previous page and the
Summary link to return to the Summary page. The Back button on the console toolbar is
for navigating the navigation tree.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZER 66
Endpoint Management
Endpoint Management
Add and remove endpoints to navigation tree. See Add an Endpoint on page 66 in the Tasks
section.
Data Acquisition
Start and stop logging on endpoints. See Create and retrieve a log file on page 66 in the Tasks
section.
Data Files
Import, Export or delete a data file. Data files are in XML format and can be opened and
imported into Rules Analyzer nodes or saved and exported out.
Tasks
This section shows how to perform common tasks using Rules Analyzer, and includes:
 ADD AN ENDPOINT
1. Select the Rules Analyzer navigation button.
The Rules Analyzer navigation tree displays.
2. Click the Add Endpoint button on the Rules Analyzer ribbon page > Endpoint
Management group.
3. Select either Browse Deployment Group or Browse Domain/Workgroup depending
on the location of the endpoint you want to add.
Browse Deployment Group displays the Select Management Server dialog box.
Browse Domain/Workgroup displays the Active Directory Select Computers dialog box.
Locate the required endpoint and click OK.
4. A new node is created for the selected endpoint under the Endpoints node in the
navigation tree.
On remote computers running the Microsoft Vista operating system, File Sharing and the
Remote Registry Service are disabled by default and must be enabled to ensure the Rules
Analyzer can create or access log files.
Stat the Remote Registry service in Start > Control Panel > Administrative Tools > Services.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZER 67
Tasks
This section provides details on AppSense Application Manager Auditing and includes the
following:
Audit
Local Events
Audit
Auditing allows you to define rules for the capture of auditing information, includes rules about
where event data is stored for logging to a local file and the application event log, and includes
a filter for specifying the events you wish to capture in the log.
Local Auditing allows you to specify whether to log events in the Windows Application Event
Log or to a custom AppSense Event Log. Events can be written to a local file in CSV or XML
format.
By default, the log file is located at
%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%.
csv (or .xml)
An alternative location can be configured for the log file. In this mode auditing also includes an
event filter to log only specific events.
In Enterprise installations, events can be forwarded to the AppSense Management Center via
the Client Communications Agent (CCA). When using this method for auditing, event data
storage and filtering is configured through the AppSense Management Console. For more
information see the AppSense Management Center Administration Guide.
Reference
Summary
68
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 10 AUDITING 69
Audit
You can only send the events to the Application Event Log or the AppSense Event Log.
Local Events
The Event filter table is a comprehensive list of all events and is used to select the events you
wish to audit. You can sort the table numerically by ID number, or alphabetically by Event Name
or Event Description. Selected events are highlighted in bold. Click Toggle to change the states
between selected and cleared.
9001, 9007 and 9014 events are disabled by default as they can generate excessive event
data on busy endpoints. We recommend these events are only used for troubleshooting
purposes, and only for short periods of times.
A warning displays at the top right of the Event filter list if you select a high volume events -
some event IDs such as 9001, 9007 and 9014 can generate a very high volume of events on
busy endpoints.
9012 Trusted Vendor Denial Digital Certificate failed Trusted Vendor check. Warning
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 10 AUDITING 71
Local Events
9095 Not configured AppSense Application Manager has not been Warning
configured.
† Multiple 9001 events could be generated by a single request for an application due to the way in
which Windows responds to execution requests. Therefore, we recommend you use event 9015
to accurately audit how many times an application has been run by a user.
‡ We recommend you use event 9015 to accurately audit how many times an application has been
run by a user and not event 9001.
System Events
The following are non-configurable system events:
Reference
Log Locally
Select the events to log locally.
Toggle Selected
Select any number of events from one to all. Toggle to switch the Log Locally check box
between being selected and cleared.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 10 AUDITING 72
Local Events
Event Filtering
Select to display the Event Filtering dialog box.
This section provides on the Configuration Profiler and includes the following:
Report Type
Report Criteria
Report Output
Report Type
The configuration profiler allows administrators to report on configurations stored locally or in
the central database. General reports are produced to assist auditing and compliance such as
Sarbanes Oxley or HIPAA. Custom reports can be produced for specific users applications and
devices to assist troubleshooting of large configurations.
The configuration profiler is a basic reporting tool that can be used to generate quick reports
based on the details of a loaded product configuration. The report can be generated in the
following ways:
Complete Report - Produces a report which Includes all aspects of the configuration.
Report based on specific criteria - Produces a report which is based on the specified criteria
as selected in the Report Criteria section.
Report Criteria
Use the criteria to specify what is to be included in the report.
Enter the value to match for any of the following:
User
Group
File
Folder
Network Connection
Device
73
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 11 CONFIGURATION PROFILER 74
Report Output
Report Output
The report output is produced in sections and sub-sections.
In the preview window you can change the following:
Paper
Size
Watermarks
The option to Save the report in various formats for example, PDF and Print the report is also
available from this preview view.
12
Best Practices
This section provides information about best practices for managing you Application Manager
configuration and includes the following:
Scripted Rules
Use Scripted Rules to Allow Items
Use Scripts to Query Information
Use Validated Scripts Only
Endpoint Analysis
When to run Installed Applications scan
Period to run Usage Scan
75
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 12 BEST PRACTICES 76
Use NTFS Security
By default, all applications on non-NTFS formatted drives are not trusted and execution
requests are blocked. It is highly recommended to use digital signatures for files on non-NTFS
formatted drives by adding the signatures to the Accessible Items list to allow applications to
run.
Signature checking can be used in a more effective way by securing application files that cannot
be protected by the default Trusted Ownership checking. The combination of generic Trusted
Ownership checks with specific signature checks as necessary provides a secure, but easily
maintainable solution.
For further information on the use of reverse DNS lookups in Application Network Access
Control refer to the Appendix Application Network Access Control and Reverse DNS Lookup.
If you shutdown while an Application Usage Scan is taking place, the scan will carry on from
when it stopped once the machine is restarted.
This section provides additional or supporting information about topics covered in the Guide
and includes:
System Requirements
Working with Scripted Rules
Licensing
Application Network Access Control and Reverse DNS Lookup
Streamed Applications
80
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE A SYSTEM REQUIREMENTS 81
A
System Requirements
This appendix provides details on the System Requirements for AppSense Application Manager.
Supported Technologies
Citrix XenApp
Citrix XenDesktop
For details on working with AppSense Application Manager and Streamed Applications refer
to the Streamed Applications appendix.
Installed Components
The following components are installed as part of the AppSense Management Suite Installer:
Windows Installer 3.1 Redistributable (v2)
Microsoft Core XML Services (MSXML) 6.0
Microsoft .NET Framework 2.0 Redistributable Package
Microsoft Visual C++ 2005 SP1 Redistributable package
B
Working with Scripted Rules
This section provides details about creating the scripts used in scripted rules and includes a
sample, the following are covered:
About Scripted Rules
Writing a Script
Sample Scripts
Best Practices
Writing a Script
Each script is run within a hosted script engine allowing greater control over the script execution
providing a high degree of input and output control.
No VBS file is used.
No separate process is spawned.
A script must be written as a function. The script can contain many functions, but a main start
function must be specified. The start function is run by the Application Manager agent. Other
functions can be called by the start function.
The start function must return a True value for the script to pass and apply the rule settings.
Otherwise, the start function returns False, by default, and the rule does not apply.
82
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE B WORKING WITH SCRIPTED RULES 83
Sample Scripts
The AMScriptRule COM object is built into the scripting engine and provides access to the
following methods:
strUsername = AMScriptRule.UserName
strUserdomain = AMScriptRule.UserDomain
strSessionid = AMScriptRule.SessionID
strStationname = AMScriptRule.WinStation
The Microsoft standard in this instance means that WinStation returns the value of the
name of the Terminal Services Session, which is determined by the type of session with
typical values being ’Console’ or ’RDP-Tcp#34’, instead of the Window Station name
which is typically WinSta0.
Using WScript. shell to expand environment variables only returns SYSTEM variables.
Sample Scripts
The following are sample scripts:
objOU.Filter = Array("user")
For Each objUser In objOU
'Check if there is a match with the user logging on
If objUser.sAMAccountName = strUserName Then
'if there is, then set the function to True
MyScript = True
End If
Next
End If
'Unless there is a username match, the function defaults to False
End Function
Best Practices
The following are recommended as best practices for creating and running scripted rules:
In the event that the scripted rule times out, the rule settings do not apply.
In the event that the Scripted Rule fails to complete because of an error in the script, the
rule settings do not apply.
This appendix provides details on extending Application Network Access Contol to use reverse
DNS lookups.
The Application Network Access Control feature can use reverse DNS lookups when evaluating
Network Connection rules. The feature is turned off by default, as the time it takes to retrieve
this information from DNS servers, may degrade the performance of network applications.
Enabling this feature ensures the network rules are more effective, in situations when users or
applications make requests for network resources, using IP addresses when the configuration is
based upon host names.
The reverse DNS lookups can be enabled by configuring a set of engineering keys.
For further information refer to the AppSense Application Manager Engineering Keys Guide.
This feature requires an administrator to enable and configure Reverse DNS Zones on the DNS
servers.
86
D
Licensing
The AppSense Management Suite Licensing Console allows you to create and manage
AppSense product licenses.
This section provides details about using the console, and includes the following:
About License Manager
Managing Licenses
Troubleshooting
87
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE D LICENSING 88
About License Manager
For information about Enterprise license management and deployment, see the AppSense
Management Center Administration Guide.
Managing Licenses
The following procedures show how to add and activate a new license and import and export
licenses to Microsoft Windows Installer files (*.msi) file for distribution to other computers or to
backup a set of licenses.
Troubleshooting
I received an AppSense license, what do I do?
If you have received an AppSense product license, from AppSense, you can load the license by
launching the Management Suite Licensing Console on your client computer and entering the
license code and activation code.
Enter the product license exactly as received. Once a license has been successfully entered, the
system updates the description details stating the products and duration for which the license is
valid.
I have entered an AppSense license, but it is for evaluation, what does this
mean?
If you are trying an AppSense product before purchasing, the product installs with an option to
automatically install an evaluation license. Evaluation licenses are limited to 21 days, during
which time you can familiarise yourself with the product.
Once the expiry date has been reached, contact AppSense to obtain a full license to continue
using the product.
I have tried to enter an AppSense license, but it says it is invalid, what can I
do?
Check that the license code has been typed correctly. Check it is a license code and not an
activation code that has been entered.
If you are still sure you have entered the license correctly but it is not accepted, contact
AppSense support.
E
Streamed Applications
This section provides details on how to allow Application Manager to work with applications
provisioned via the following streaming technologies:
Citrix XenApp
Citrix XenApp
To set up Citrix XenApp streaming applications to work with certain elements of Application
Manager you need to specify certain exclusions, as follows:
1. Navigate to Citrix Streaming Profiler for Windows.
2. Open the Application Profile.
3. Highlight the relevant Target and select the Edit menu.
4. Select Target Properties.
The Target Properties screen displays.
5. Select Rules.
The Rules work area displays on the right hand side.
6. Click Add in the Rules work area.
The New Rule Select Action and Objects dialog box displays.
7. In the Action section leave the default setting as Ignore.
8. In the Object section select Named Objects and click Next.
The New Rule Select Objects dialog box displays.
9. Select Some Named Objects and click Add.
The Choose Named Object dialog box displays.
10. Add \??\pipe\Appsense* and click OK.
This displays in Named Objects on the New Rule Select Objects dialog box.
91
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE E STREAMED APPLICATIONS 92
Citrix XenApp
11. Click Next to display the New Rule Name Rule dialog box.
12. Enter a name for the rule or accept the default and click Finish.
13. Click OK.
The Target Properties screen re-displays and the Ignore all named objects rule is now
listed in the work area on the right hand side.
14. Save the Profile.
15. Repeat for each Application Profile as required.
G L O S S A R Y
AAC
Accessible Items
Agent
Application Limit
Audit Only
CCA
Configuration
Configuration File
Configuration Profiler
Console
Deploy
Digital Signature
Event
Node
OU
Prohibited Items
Rule
Security Level
Security Identifier
Self-Authorizing User
SID
Time Limits
Trusted Applications
Trusted Ownership
Trusted Vendors
Wildcards
93
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY AAC 94
Configuration File
AAC
Citrix Advanced Access Control.
Accessible Items
Accessible Items are files, folders, drives or digitally signed files or groups of files in an
Application Manager configuration Rule which are allowed to run when file execution requests
are matched with the rule security settings and would otherwise be prohibited by other
configuration settings.
See also: Prohibited Items and Trusted Vendors
Agent
A proactive software component which implements the product configuration rules. For
example, the Application Manager Agent is software that runs as a Windows service to validate
execute requests according to the rules in the configuration installed on a computer.
Application Limit
Application Limits specify the number of instances of an application a user can run. An
application limit can be applied to an item in the Accessible Items node.
Audit Only
Security Level assigned to users, groups or devices in an Application Manager Rule which audits
events according to the Auditing Configuration without applying the rule. Used for passive
monitoring in evaluations to assess application usage on the host environment.
CCA
Client Communications Agent. Installed on computers operating in an Enterprise installation to
provide a link between the product agent running on a managed computer and the AppSense
Management Center.
The CCA sends event data generated by the product agents to the Management Server and
also polls the Management Server to manage the download and installation for software
configuration, agent and package updates.
The CCA can be downloaded and installed directly on managed machines from the
Management Server website.
Configuration
The Application Manager configuration consists of lists of files/folders that you have decided
should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also
contains optional settings and text to be displayed to the user. A configuration is created and
managed using the Application Manager Console and used by the Application Manager Agent
and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration
settings to determine whether or not an execute request is to be denied.
Configuration File
An Application Manager configuration exported from the Console and saved to Windows
Installer .MSI file format. The file can be installed on any computer and the configurations rules
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY CONFIGURATION PROFILER 95
Prohibited Items
applied when an Application Manager Agent is present and running as a service on the
computer.
Configuration Profiler
Generates reports detailing the current settings in the Configuration. Filtering options allow you
to query settings affecting specific users or groups, devices, and files or folders.
Console
AppSense Application Manager software interface.
Deploy
To deliver a configuration or AppSense software component to one or more computers, which
can include the local machine.
Digital Signature
Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely
identify files.
The signature can be used as a security measure when adding files as Accessible Items,
Prohibited Items and Trusted Vendors.
Signatures can also be used for allowing applications on non-NTFS formatted drives to run,
which Application Manager would otherwise block by default. Add the digital signatures to the
Accessible Items list and disable trusted ownership checking for the individual files. Signature
Group Management provides easier administration for large groups of signatures.
Accessible Items with digital signatures can be used to verify that the file which the user is
attempting to run is actually the file permitted by the administrator.
Prohibited Items with digital signatures can be used to ensure the file is always prevented from
executing, even when the user renames the file.
Event
An Event is generated by Application Manager to report file execution requests, overwrites or
renames and Self-Authorizing User decisions. The event number indicates the outcome of the
request. Events are logged according to the method set up in the Auditing node.
Node
A node is a term used in the Application Manager Console to represent a branch in the
navigation tree.
OU
Organizational Unit. A container that holds users and computers in Active Directory.
Prohibited Items
Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an
Application Manager Rule which are not allowed to run when file execution requests are
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY RULE 96
Time Limits
matched with the rule security settings and would otherwise be allowed by other Configuration
settings.
See also: Accessible Items and Trusted Vendors
Rule
A Configuration rule assigns a Security Level to the specified users or groups, devices and
combinations of these and contains control lists for Accessible Items, Prohibited Items and
Trusted Vendors. Application Manager intercepts kernel level file execution requests and
matches these with the configuration rules to implement security controls.
Security Level
Application Manager configuration Rule settings include security levels which specify how to
manage requests to run unauthorized applications by the users, groups or devices which a rule
matches.
Restricted — Only authorized applications can run. These include files owned by members of
the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted
Applications.
Self-Authorizing — Users are prompted for decisions about blocking or running unauthorized
files on the host device.
Audit only — All actions are permitted but events are logged and audited, for monitoring
purposes.
Unrestricted — All actions are permitted without event logging or auditing.
Security Identifier
(SID) A data structure of variable length that identifies user, group, and computer accounts.
Every account on a network is issued a unique SID when the account is first created. Internal
processes in Windows refer to an accounts SID rather than the accounts user or group name.
Likewise Application Manager also refers to a user or group SID unless the SID could not be
found when added to the configuration.
Self-Authorizing User
User, group or device granted control to choose whether to block or run an unauthorized
application on the host computer. The Self-authorizing Security Level can be assigned in an
Application Manager Rule to match a file execute request for users, groups or devices.
SID
See Security Identifier.
Time Limits
Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application
Manager Rule which determine day and time ranges when the controls apply.
For example, an entry in the Prohibited Items node of a rule can restrict use of the local web
browser to users except between the hours of 12pm and 2pm on specific days of the week.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY TRUSTED APPLICATIONS 97
Wildcards
Trusted Applications
Trusted Applications are files which are authorized to run by the Application Manager
configuration and can execute files which are normally prohibited. Trusted Applications are
designated in the Default Rules and include specified Trusted Content which includes files
normally prohibited but allowed when run executed as a child process of the associated Trusted
Application.
For example, essential applications, such as antivirus update software is usually allowed to run
but can also depend on being able to run particular downloaded executables, which are
normally prohibited, to perform an update. The antivirus software is added to the rules as a
Trusted Application, and the downloaded executable prohibited file which the antivirus needs
to run, is added as Trusted Content of the Trusted Application.
Add certain files and file types as Trusted Content. Extend this trust to folders and drives to
allow files in these locations to run as Trusted Content of the Trusted Applications. Trusted
Application matching takes place when a file is prohibited by a rule or fails Trusted Ownership
checking.
Trusted Ownership
Trusted Ownership checking is a secure method Application Manager uses to prevent users
running unauthorized applications is. On NTFS formatted drives, files have owners and
Application Manager is configured, by default, to only allow files to be executed if the file
owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by
a trusted owner, the execute request is denied and a message notifies the user. Any files
downloaded from the internet or received in e-mail are owned by the user, so those files are not
permitted to run unless ownership is held by members of the trusted owner list.
By default, Application Manager blocks execution requests for all applications on non-NTFS
formatted drives.
Trusted Vendors
Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking
allows applications which fail Trusted Ownership checking to match digital certificates with the
Trusted Vendors list.
A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted
Rule of the configuration.
Application Manager queries each file execution which fails Trusted Ownership checking to
detect the presence of a digital certificate. If the file has a digital certificate which is signed by a
certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run.
Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership
checking and Trusted Application checking.
Wildcards
Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the
Application Manager Console. The asterisk represents one or more characters, excluding the
back slash (\) character, whilst the question mark wildcard represents one character, excluding
the forward slash (/) character. Both of the wildcard characters can be used in any part of a file
path, including the drive letter for local paths.
APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY WILDCARDS 98
Wildcards
For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in
the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the
question mark can only replace one character, it does not match c:\sample path\test100. The
only limitation imposed by Application Manager on the use of wildcards is that the asterisk
cannot be used to match more than one subdirectory.