Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Creating rules and deploying policy in Endpoint Application Control (EAC)

    • Updated:
    • 21 Jul 2016
    • Product/Version:
    • Endpoint Application Control 1.0
    • Endpoint Application Control 2.0
    • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
Summary

A rule contains application(s) to allow or block a client. Meanwhile, a policy is where the rules are added or created.

Policies are deployed to a target client based on the matching criteria and not by the assigned rules. A client that uses any of the available policies is called Compliant Target.

Details
Public

Here are some considerations for creating a rule and deploying a policy:

  1. Identify the type of application to inspect and group the applications to Allow and Block.

    Block Rules should have a larger scope than the Allow Rules.
    Below are some sample rules when inspecting the Web Browser Add-ons:

    Block Rule:
    Block All Web Browser Toolbars and Plugins

    Allow Rules:
    Allow Adobe Flash Player
    Allow Java Runtime Environment
    Allow Microsoft Silverlight

     
    It is advisable to create one (1) rule per allowed application to easily reuse it on other policies that might require that specific rule.
  2. Group the target clients and identify the applications that they can only install.

    For example, both Windows Servers and Workstations can install the Adobe Flash Player and Microsoft Silverlight, but only Windows Servers can install the Java Runtime Environment at the same time. However, if the logon user is Server Admin, there should be no restrictions.
    The group can be similar to the following:

    Allowed Applications on Workstations: Adobe Flash Player and Microsoft Silverlight

    Allowed Applications on Servers: Adobe Flash Player, Microsoft Silverlight, and Java Runtime Environment

    Allowed Applications on Windows w/ Server Admin: Adobe Flash Player, Microsoft Silverlight, and Java Runtime Environment

  3. Create a policy based on the predefined applications in the rule and the targets.
    1. Use the Filter Criteria to appoint Target Clients and Logon User(s).
    2. Create the ruleset via Rules tab.
    3. Make sure that the names of the policies denote the target applications and clients.

    From our previous samples, you can create three (3) possible policies similar to the following:

    • Allowed Web Browser Plugins on Windows Servers

      Filter Criteria: Windows 2000/2003/2008/2012

      Rules:
      Allow Adobe Flash Player
      Allow Java Runtime Environment
      Allow Microsoft Silverlight
      Block All Web Browser Toolbars and Plugins

    • Allowed Web Browser Plugins on Windows Workstations

      Filter Criteria: Windows XP/Vista/7/8

      Rules:
      Allow Adobe Flash Player
      Allow Microsoft Silverlight
      Block All Web Browser Toolbars and Plugins

    • Allowed Web Browser Plugins w/ user Server Admin

      Filter Criteria: Server Admin, Windows XP/Vista/7/8/2000/2003/2008/2012

      Rules:
      Allow Adobe Flash Player
      Allow Java Runtime Environment
      Allow Microsoft Silverlight
      Block All Web Browser Toolbars and Plugins

    The ruleset or rules always contain the Block Rule below the Allowed Rules because the rules are processed by the following order to ensure that applications with no matching Allowed Rules are blocked.

    Allowed > Blocked > Lockdown Mode

    The Lockdown Mode prevents installing new applications on a client but the existing applications will still run. In addition, Windows System Applications, including Windows Updates, are allowed by default.

  4. Arrange the policies by priority.

    A policy with a more specific criteria should have a higher priority. On the other hand, a policy with a wider range of targets should have lower priority.

    In this case, the "Allowed Web Browser Plugins w/ user Server Admin" is more specific among the other policies because of the user Server Admin and should be assigned the first priority. The policies can be ordered like this:

    • Priority 1: Allowed Web Browser Plugins w/ user Server Admin
    • Priority 2: Allowed Web Browser Plugins on Windows Workstations
    • Priority 3: Allowed Web Browser Plugins on Windows Servers

    When you have a Deny Policy, make sure that you assigned it as lowest priority. Policies are processed in a downward direction so that the permitted applications are identified first before it fall under Blocked Policies.

Premium
Internal
Rating:
Category:
Configure; Deploy
Solution Id:
1102440
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.