Applications are still getting blocked by the Lockdown Rule of Endpoint Application Control (EAC) 2.0. This is a Known Issue (go to issue 270) in Application Control. When an endpoint applies a policy with a Lockdown rule, additional rules do not take effect and applications in the Allow rule are still getting blocked.
Endpoints in "Lockdown" mode only allow application hashes that were gathered during the recent Inventory Scan schedule. Except for the "File Paths" and "Certificates", when adding or creating a new rule, the following match methods when selected will use "Hash-based" matching approach to identify executed applications that are not in the Inventory Scan database:
- Known applications dynamic search
- Certified Safe Software List
- SHA-1 Hash values
The issue is that endpoints in Lockdown mode will no longer accept additional hashes from the rules that use any of the above match method. As a result, applications in the allow rule as an example, will still get blocked by the Lockdown rule because the AC agent does not have the hashes of the permitted applications.
To solve this issue, upggrade to TMEAC v2.0 Service Pack 1 and apply Trend Micro Endpoint Application Control 2.0 SP1 Hotfix - Server Build 1242.
The Hash Value Deployment options "Partial" or "Full" is now available in the “Edit Rule” page.
To view the current hash value deployment settings for all the established rules of a policy, go to the "Rules" section on the "Edit Policy" page.
When Lockdown is applied with Allow or Block rules, and when any of these rules is set with "Partial" hash value deployment, a notification message is displayed as yellow banner to remind users that endpoints cannot take actions on applications that are not on the local SHA-1 Hash Value list.
You may also apply any of the following three options:
Activating the feature can significantly increase network data transfers between the AC Server and the Agent when adding a new rule above Lockdown because the agent will download application hashes that do not match the applications included in the inventory scan database.
- Open the policy with the Lockdown rule and expand Deployment drop-down.
- Under the Deploy the full policy in the following conditions, tick the Endpoint starts applying lockdown rules option as shown below, which is disabled by default:
- Click Save in the Policy page to start deploying the new settings.
To know more about full policy information, you may check Policy Deployment.
Rules that match the applications based on File paths or Certificates do not require the AC agent to download new hashes and will work when added on top of a Lockdown rule.
- Open the policy with the Lockdown rule and expand the Rules drop-down.
- Click Assign Rule to add a new rule.
- In the edit rule page, expand the Allowed applications drop-down and change the “Match using” settings to “File paths” or “Certificates”.
- Specify the target application file path or certificate.
To learn how to create certificate-based rule in EAC, you may refer to Creating a rule based on a file's digital signature in Endpoint Application Control (EAC) 2.0 article.
- Click Save & Assign to add the rule.
- On the Policy page, choose Save in to start deploying the new settings.
Include additional Lockdown rule and use its exclusion settings to define applications that will be exempted from the Lockdown rule. This allows you to select any match method available regardless on whether you are using "Hash-based" match method or not. However, since the Lockdown rule exclusion can only use one match method at a time, customers need to create multiple Lockdown rules to match each application different from the other.
- Open the policy with the Lockdown rule and expand the Rules drop-down.
- Add or edit the existing Lockdown rule to exclude an application and select the appropriate match method.
- Click Save to apply the rule settings.
- On the Policy page, choose Save to start deploying the new settings.