Allowing and blocking rules that do not get applied to AC Agents with existing Lockdown rule in EAC 2.0

- Updated:
- 14 Mar 2020
- Product/Version:
- Endpoint Application Control 2.0
- Platform:
- Amazon AMI 32-bit
- Amazon AMI 64-bit
- Android 2.0, 2.1 Eclair
- Android 2.1+
- Android 2.2 Froyo
- Android 2.3 Gingerbread
- Android 3.x Honeycomb
- Android 4.0 Ice Cream Sandwich
- Android 4.1 Jellybean
- Android 4.2 Jellybean
- Android 4.3 Jellybean
- Android 4.4 KitKat
- Android 5.0 Lollipop
- Android 5.1 Lollipop
- Android 6.0 Marshmallow
- Android 7.0 Nougat
- Android All
- Android すべて
- Appliance DELL R210II
- Appliance DELL R410
- Appliance DELL R710
- Appliance DELL R720
- Appliance すべて
- AS400 すべて
- Bare Metal N/A
- Blackberry 5.x
- Blackberry すべて
- CentOS 5.4 32-bit
- CentOS 5.4 64-bit
- CentOS 5.5 32-bit
- CentOS 5.5 64-bit
- CentOS 5.6 32-bit
- CentOS 5.6 64-bit
- CentOS 5.7 32-bit
- CentOS 5.7 64-bit
- CentOS 5.8 32-bit
- CentOS 5.8 64-bit
- CentOS 6 32-bit
- CentOS 6 64-bit
- CentOS 6.1 32-bit
- CentOS 6.1 64-bit
- CentOS 6.2 32-bit
- CentOS 6.2 64-bit
- CentOS 7.0 64-bit
- Citrix XenServer 5.5
- Citrix XenServer 6.0
- EMC すべて
- HPUX 11.x
- IBM AIX
- IBM IBM - OS/390
- IBM IBM - OS/400/i5OS
- IBM IBM zLinux
- IBM AIX 5.2
- IBM AIX 5.3
- IBM AIX 6.1
- IBM AIX 7.1
- IBM OS/400/i5OS V5R4
- IBM OS/400/i5OS V6R1
- IBM OS/400/i5OS V7R1
- IBM zLinux RHEL 5 64-bit
- IBM zLinux SLES 10
- IBM zLinux SLES 11
- iOS 10.0
- iOS 3.0+
- iOS 4.0+
- iOS 5.0+
- iOS 6.0+
- iOS 7.0+
- iOS 7.1+
- iOS 8.0+
- iOS 8.1
- iOS 8.2
- iOS 8.3
- iOS 8.4
- iOS 9.0
- iOS 9.1
- iOS 9.2
- iOS 9.3
- iOS All
- iOS すべて
- Linux すべて
- Linux - Red Hat RHEL 3 32-bit
- Linux - Red Hat RHEL 3 64-bit
- Linux - Red Hat RHEL 4 32-bit
- Linux - Red Hat RHEL 4 64-bit
- Linux - Red Hat RHEL 5 32-bit
- Linux - Red Hat RHEL 5 64-bit
- Linux - Red Hat RHEL 5.1 32-bit
- Linux - Red Hat RHEL 5.1 64-bit
- Linux - Red Hat RHEL 5.2 32-bit
- Linux - Red Hat RHEL 5.2 64-bit
- Linux - Red Hat RHEL 5.6 32-bit
- Linux - Red Hat RHEL 5.6 64-bit
- Linux - Red Hat RHEL 5.7 32-bit
- Linux - Red Hat RHEL 5.7 64-bit
- Linux - Red Hat RHEL 5.8 32-bit
- Linux - Red Hat RHEL 5.8 64-bit
- Linux - Red Hat RHEL 6 32-bit
- Linux - Red Hat RHEL 6 64-bit
- Linux - Red Hat RHEL 6.1 32-bit
- Linux - Red Hat RHEL 6.1 64-bit
- Linux - Red Hat RHEL 6.2 32-bit
- Linux - Red Hat RHEL 6.2 64-bit
- Linux - Red Hat RHEL 7 64-bit
- Linux - Red Hat RHEL 8 32-bit
- Linux - Red Hat RHEL 8 64-bit
- Linux - Red Hat RHEL 9 32-bit
- Linux - Red Hat RHEL 9 64-bit
- Linux - SuSE 10
- Linux - SuSE 10 64-bit
- Linux - SuSE 11
- Linux - SuSE 11 64-bit
- Linux - SuSE 9.0
- Linux - Turbolinux Server 10
- Linux - Turbolinux Server 8
- Lync Server 2010
- Lync Server 2013
- Macintosh El Capitan
- Macintosh iOS 3.x
- Macintosh iOS 4.x
- Macintosh iOS 5.x
- Macintosh Leopard
- Macintosh Lion
- Macintosh Mavericks
- Macintosh Mountain Lion
- Macintosh Snow Leopard
- Macintosh Tiger
- Macintosh Yosemite
- MacOS Sierra
- MacOS すべて
- N/A N/A
- NetApp すべて
- Netware version 5.1
- Netware version 6.0
- Netware version 6.5
- Oracle Linux 5 32-bit
- Oracle Linux 5 64-bit
- Oracle Linux 6 32-bit
- Oracle Linux 6 64-bit
- Oracle Solaris 11 SPARC
- Oracle Solaris 11 x86
- SaaS すべて
- Solaris すべて
- Sony PS3
- Sony PS4
- Sony PSP
- Symbian ^3
- Symbian S60
- Symbian S60 3rd Edition
- Symbian S60 5th Edition
- Ubuntu 10.04 32-bit
- Ubuntu 10.04 64-bit
- Ubuntu 10.1 32-bit
- Ubuntu 10.1 64-bit
- Ubuntu 11.04 32-bit
- Ubuntu 11.04 64-bit
- Ubuntu 12.04 32-bit
- Ubuntu 12.04 64-bit
- Ubuntu 9.1 32-bit
- Ubuntu 9.1 64-bit
- UNIX すべて
- Unix - Solaris (Sun) version 10 (SunOS 5.10)
- Unix - Solaris (Sun) version 8 (SunOS 5.8)
- Unix - Solaris (Sun) version 9 (SunOS 5.9)
- Virtual Appliance 4.1
- Virtual Appliance 5.1
- Virtual Appliance すべて
- VMware ESX - 5.0
- VMware ESX 3.0
- VMware ESX 3.5
- VMware ESX 4.0
- VMware ESX 4.1
- VMware ESX 5.0
- VMware ESXi 3.5
- VMware ESXi 4.0
- VMware ESXi 4.1
- VMware ESXi 5.0
- VMware ESXi 5.1
- VMware ESXi 5.5
- VMware ESXi 6.0
- VMware Server 2.0
- VMware vCenter 5.0
- VMware vCenter 5.5
- VMware vSphere 4.x
- VMware vSphere 5.0
- VMware vSphere 5.1
- VMware vSphere 5.5
- VMware vSphere 6.0
- Windows 10
- Windows 10 32-bit
- Windows 10 64-bit
- Windows 2000 Advanced Server
- Windows 2000 Datacenter Server
- Windows 2000 Professional
- Windows 2000 Server
- Windows 2000 Small Business Server
- Windows 2003 32-Bit
- Windows 2003 64-Bit
- Windows 2003 Compute Cluster Server
- Windows 2003 Datacenter
- Windows 2003 Datacenter 64-bit
- Windows 2003 Enterprise
- Windows 2003 Enterprise 64-bit
- Windows 2003 Home Server
- Windows 2003 Server R2
- Windows 2003 Small Business Server
- Windows 2003 Small Business Server R2
- Windows 2003 Standard
- Windows 2003 Standard 64-bit
- Windows 2003 Web Server 64-bit
- Windows 2003 Web Server Edition
- Windows 2008 32-Bit
- Windows 2008 64-Bit
- Windows 2008 Datacenter
- Windows 2008 Datacenter 64-bit
- Windows 2008 Enterprise
- Windows 2008 Enterprise 64-bit
- Windows 2008 Essential Business Server
- Windows 2008 Server Core
- Windows 2008 Server Foundation
- Windows 2008 Server R2
- Windows 2008 Server R2 Datacenter
- Windows 2008 Server R2 Enterprise
- Windows 2008 Server R2 with Hyper-V(TM)
- Windows 2008 Small Business Server
- Windows 2008 Standard
- Windows 2008 Standard 64-bit
- Windows 2008 Storage Server
- Windows 2008 Web Server Edition
- Windows 2008 Web Server Edition 64-bit
- Windows 2011 Small Business Server Essentials
- Windows 2011 Small Business Server Premium Add-on
- Windows 2011 Small Business Server Standard
- Windows 2012
- Windows 2012 Datacenter
- Windows 2012 Datacenter R2
- Windows 2012 Enterprise
- Windows 2012 Enterprise R2
- Windows 2012 Server Essential R2
- Windows 2012 Server Essentials
- Windows 2012 Server Foundation R2
- Windows 2012 Server R2
- Windows 2012 Standard
- Windows 2012 Standard R2
- Windows 2012 Web Server Edition
- Windows 2016
- Windows 2016 Server Core
- Windows 2016 Server Datacenter
- Windows 2016 Server Standard
- Windows 7 32-Bit
- Windows 7 64-Bit
- Windows 7 Home Premium 32-bit
- Windows 7 Home Premium 64-bit
- Windows 7 SP1 32-bit
- Windows 7 SP1 64bit
- Windows 7 SP1 64-bit
- Windows 7 Starter 32-bit
- Windows 7 Starter 64-bit
- Windows 7 Ultimate 32-bit
- Windows 7 Ultimate 64-bit
- Windows 8 32-Bit
- Windows 8 64-Bit
- Windows 8 RT
- Windows 8.1 32-Bit
- Windows 8.1 64-Bit
- Windows 9
- Windows All
- Windows Embedded POSReady 7 (32-bit/64-bit)
- Windows Mobile 5 Pocket PC
- Windows Mobile 5 Pocket PC Phone Edition
- Windows Mobile 5 Smartphone
- Windows Mobile 6 Classic
- Windows Mobile 6 Professional
- Windows Mobile 6 Standard
- Windows Mobile 6.1 Professional
- Windows Mobile 6.1 Standard
- Windows Mobile 6.5 Professional
- Windows Mobile 6.5 Standard
- Windows Server 2012
- Windows Storage Server 2003
- Windows Vista 32-bit
- Windows Vista 64-bit
- Windows Vista SP1 32-bit / 64-bit
- Windows Vista SP2 32-bit
- Windows Vista SP2 32-bit / 64-bit
- Windows Vista SP2 64-bit
- Windows XP Home
- Windows XP Professional
- Windows XP Professional 64-bit
- Windows XP SP2 32-bit
- Windows XP SP3 32-bit
- Windows XP Tablet PC
- Windows すべて
- Windows Mobile すべて
- Windows Phone 8.0
- Windows Phone 8.1

Summary

Applications are still getting blocked by the Lockdown Rule of Endpoint Application Control (EAC) 2.0. This is a Known Issue (go to issue 270) in Application Control. When an endpoint applies a policy with a Lockdown rule, additional rules do not take effect and applications in the Allow rule are still getting blocked.

Endpoints in "Lockdown" mode only allow application hashes that were gathered during the recent Inventory Scan schedule. Except for the "File Paths" and "Certificates", when adding or creating a new rule, the following match methods when selected will use "Hash-based" matching approach to identify executed applications that are not in the Inventory Scan database:

Known applications dynamic search
Certified Safe Software List
SHA-1 Hash values

The issue is that endpoints in Lockdown mode will no longer accept additional hashes from the rules that use any of the above match method. As a result, applications in the allow rule as an example, will still get blocked by the Lockdown rule because the AC agent does not have the hashes of the permitted applications.

Details

To solve this issue, upggrade to TMEAC v2.0 Service Pack 1 and apply Trend Micro Endpoint Application Control 2.0 SP1 Hotfix - Server Build 1242.

The Hash Value Deployment options "Partial" or "Full" is now available in the “Edit Rule” page.

The default is set to "Partial".

To view the current hash value deployment settings for all the established rules of a policy, go to the "Rules" section on the "Edit Policy" page.

When Lockdown is applied with Allow or Block rules, and when any of these rules is set with "Partial" hash value deployment, a notification message is displayed as yellow banner to remind users that endpoints cannot take actions on applications that are not on the local SHA-1 Hash Value list.

You may also apply any of the following three options:

EXPAND ALL

Option I: Enabling Full Policy download

Activating the feature can significantly increase network data transfers between the AC Server and the Agent when adding a new rule above Lockdown because the agent will download application hashes that do not match the applications included in the inventory scan database.

Open the policy with the Lockdown rule and expand Deployment drop-down.
Under the Deploy the full policy in the following conditions, tick the Endpoint starts applying lockdown rules option as shown below, which is disabled by default:
Click Save in the Policy page to start deploying the new settings.

To know more about full policy information, you may check Policy Deployment.

Option II: Creating a non “Hash-based” rule(s) on top of the Lockdown

Rules that match the applications based on File paths or Certificates do not require the AC agent to download new hashes and will work when added on top of a Lockdown rule.

Open the policy with the Lockdown rule and expand the Rules drop-down.
Click Assign Rule to add a new rule.
In the edit rule page, expand the Allowed applications drop-down and change the “Match using” settings to “File paths” or “Certificates”.
Specify the target application file path or certificate.
To learn how to create certificate-based rule in EAC, you may refer to Creating a rule based on a file's digital signature in Endpoint Application Control (EAC) 2.0 article.
Click Save & Assign to add the rule.
On the Policy page, choose Save in to start deploying the new settings.

Option III: Creating your application exemption list within the Lockdown rule

Include additional Lockdown rule and use its exclusion settings to define applications that will be exempted from the Lockdown rule. This allows you to select any match method available regardless on whether you are using "Hash-based" match method or not. However, since the Lockdown rule exclusion can only use one match method at a time, customers need to create multiple Lockdown rules to match each application different from the other.

Open the policy with the Lockdown rule and expand the Rules drop-down.
Add or edit the existing Lockdown rule to exclude an application and select the appropriate match method.
Click Save to apply the rule settings.
On the Policy page, choose Save to start deploying the new settings.