-
Go to the Configure Policy screen by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
-
In the Configure Policy page, click on the Windows icon.
-
On the left pane, under Access Control, click Application Control and enable Application Control.
-
Make sure that Block: Block specified applications from executing on endpoints is selected then click + Assign Rules.
-
To block applications from the Certified Safe Software List:
-
From the Application Control Rules window, click + Add Rule and select Block.
-
Type in the rule name. Select Application Reputation List from the Match method: drop-down menu then click Manage Applications.
-
On the left pane, select a category.
-
On the right pane, select the applications to block then click OK.
- Trend Micro updates the Trend Micro Application Reputation List periodically to include new applications.
- To block all applications within a category, select the Application column heading.
- If user wish to automatically block new applications, they can select the "Block All Application %CATEGORY%" selection on top of the app list in each category.
-
The selected applications are added to the Block Rule Settings list. Click Save.
-
Click OK.
-
Click Save.
-
-
To block applications from the Gray Software List, follow the steps from 5a-5g. Make sure that from the Match method drop-down menu, Gray Software List is selected before clicking Manage Applications.
-
To block applications based from the File or Folder Paths:
-
From the Application Control Rules, click + Add Rule and select Block.
-
Type in the rule name. From the Match method drop down menu, select File or folder paths then click Add.
-
Specify the File or Folder path to block then click Add.
For Example:
- C:\Program Files (x86)\Notepad++\notepad++.exe
- C:\Program Files (x86)\Adobe
The following table lists the paths that you cannot use in Application Control.
Path $programdir$\Trend Micro\Client Server Security Agent $programdirx86$\Trend Micro\Client Server Security Agent C:\Program Files\Trend Micro\Client Server Security Agent C:\Program Files (x86)\Trend Micro\Client Server Security Agent $programdir$\Trend Micro\BM $programdirx86$\Trend Micro\BM C:\Program Files\Trend Micro\BM C:\Program Files (x86)\Trend Micro\BM $programdir$\Trend Micro\WFBSSUpdater $programdirx86$\Trend Micro\WFBSSUpdater C:\Program Files\Trend Micro\WFBSSUpdater C:\Program Files (x86)\Trend Micro\WFBSSUpdater $programdir$\Trend Micro $programdirx86$\Trend Micro C:\Program Files\Trend Micro C:\Program Files (x86)\Trend Micro Wildcards are not supported. -
Click Save.
-
Click OK.
-
Click Save.
-
-
To block applications based from the based Application’s File Hash.
-
From the Application Control Rules, click + Add Rule and select Block.
-
Type in the rule name. From the Match method drop down menu, select Hash values. .
-
From the Input method, you have an option to manually add the hash value of an application to allow or block or by importing a CSV file using the import function.
For Manual Input Method:
-
Make sure that Manual is selected as the Input method then click + Add.
-
Type in the application’s file hash. Press enter as you enter each of the application’s file hash. Click Add.
Optionally, provide a note regarding the reason to block the program.
-
The application’s file hash is added to the File Hash List. Click Save.
- Click OK.
For Import Input Method:
-
Make sure that Import is selected as the Input method then click Select File.
-
Download the importFileHashSample.csv by clicking the CSV sample format link to know how to manually create a CSV file.
-
Download the Hash Generator tool (Hash_Gen_Tool.zip) to obtain the hash values of all installed applications on an endpoint in CSV format. The ZIP file has a README.txt file which includes instructions on how to use the tool.
For more information, visit the WFBS-SVC online help section: Using the Hash Generator Tool.
-
- Once the CSV file is uploaded, click Save and follow the on-screen instructions.
-
-
Before locking down an endpoint, Application Control scans the endpoint and creates a complete application inventory. Only applications that already exist in the inventory can execute on the endpoint. During Lockdown, Application Control prevents the execution of upgrade or installation packages.
Depending on the user's environment, the inventory scan can take several hours to complete. Periodically check the Application Control status on the Security Agent console. The inventory scan might also affect endpoint performance. Plan cautiously before applying Lockdown to any server.
-
Go to the Configure Policy screen by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
-
Click on the Windows icon.
-
On the left pane, under Access Control, click Application Control and enable Application Control.
-
Make sure that Lockdown: Block all applications not identified during the last inventory scan is selected.
By default, the option Exclude applications by Trend Micro trusted vendors (Recommended) is enabled when switching to Lockdown mode.
-
Enable Exclude any process tree that originated from a Microsoft-signed program (including Windows Update).
In order for the users to be able to perform Windows Update smoothly, the Lockdown mode feature has an option to exclude Microsoft-signed applications and processes which is disabled by default when enabling Lockdown mode. Trend Micro recommends to disable this option when Windows Update is complete in order for these Microsoft-signed filed to be blocked again since they're not on the inventory scan list.
Disabling the option to exclude Microsoft-signed applications and processes will result to some of the executable files being downloaded on the computer during Windows update to be blocked. This is because that these files were not on the computer when agent performed the inventory scan.
In order for these executable files to execute even after Windows Update, users should trigger another inventory scan. However, when inventory scan is re-triggered, the executable files which were not downloaded during the Windows update will be bypassed.
As a recommendation, users can consider the following:
-
Re-trigger inventory scan by switching Application Control policy to block mode then back to lockdown mode.
Make sure that Security Agents will get the policy being applied first before switching back to mode. - If there are files that need to be blocked after re-triggering the inventory scan, users can apply block rules to block these PE files.
Application Control rules support Windows system variables in file or folder paths. The following table displays the variables supported by Worry-Free Business Security Services.
System Variable | Description |
---|---|
%APPDATA% | Refers to the C:\Users\{current_user_account}\AppData\Roaming folder for the logon user. |
%CommonProgramFiles% | Refers to the C:\Program Files\Common Files folder. |
%COMMONPROGRAMFILES(X86)% | Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems. |
%LOCALAPPDATA% | Refers to the C:\Users\{current_user_account}\AppData\Local folder for the logon user. |
%ProgramData% | Refers to the C:\ProgramData folder. |
%PROGRAMFILES% |
The Program Files folder. A typical path is C:\Program Files. |
%PROGRAMFILES(X86)% | Refers to the C:\Program Files (x86) folder on 64-bit systems. |
%SystemDrive% |
Refers to the drive where the system folder locates. A typical path is C:. |
%SYSTEMROOT% |
Refers to the root of the system drive. A typical path is C:\Windows |
%TEMP% | Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user. |
%TMP% | Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user. |
%USERPROFILE% |
Refers to user’s profile folder. A typical path is C:\Users\{current_user_account} |
%WINDIR% |
Refers to the Windows folder located on the system drive. A typical path is C:\Windows |