Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Application Control in Worry-Free Business Security Services (WFBS-SVC)

    • Updated:
    • 1 Aug 2019
    • Product/Version:
    • Worry-Free Business Security Services 6.6
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Small Business Server
    • Windows 2008 Standard
    • Windows 7 32-Bit
    • Windows Vista 32-bit
Summary

Worry-Free Business Security Services Application Control feature allows the prevention of applications, regardless of their file extensions, from being executed.

The default mode for Application Control is Block. This mode blocks all applications specified by the Application Control rules unless if they are added to the Application Control whitelist. The Application Control is capable of targeting Safe Applications from the Trend Micro Certified Safe Software List, File and Folder Paths, Hash Values, and Gray Applications.

With Worry-Free Business Security Services 6.6, Trend Micro Application Control Service is introduced which is the standalone module that is capable of providing rule-based policy matching. With the introduction of this service, the Lockdown mode is made available as well. In this mode, an Inventory Scan is performed to calculate and record the SHA256 values of all applications installed on the endpoint. Any application that is not included on the list will be blocked. 

Follow the steps in this article to configure Application Control in WFBS-SVC.

Details
Public
 
Block Mode uses the kernel-level blocking method to block applications before execution on your corporate endpoints. Kernel-level blocking prevents applications from starting by blocking file access. This provides greater security, but may unexpectedly block or momentarily delay access to certain files needed by allowed applications.
  1. Go to the Configure Policy screen by performing one of the following:

    • Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
    • Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
  2. In the Configure Policy page, click on the Windows icon.

    Click the Windows icon

  3. On the left pane, under Access Control, click Application Control and enable Application Control.

    enable Application Control

  4. Make sure that Block: Block specified applications from executing on endpoints is selected then click + Assign Rules.

    Enable Block and click Assign Rules

     

    For Block Mode, a rule has to be assigned first, otherwise, the feature will not be enabled upon clicking Save. The following Error message will be encountered.

    No rules defined error

  5. To block applications from the Certified Safe Software List:

    1. From the Application Control Rules window, click + Add Rule and select Block.

      click Add Rule and select Block

    2. Type in the rule name. Select Certified Safe Software List from the Match method: drop-down menu then click Manage Applications.

      Block Rule Settings

    3. On the left pane, select a category.

      Select a category

    4. On the right pane, select the applications to block then click OK.

      select the applications to block

       
      • Trend Micro updates the Trend Micro Certified Safe Software List periodically to include new applications.
      • To block all applications within a category, select the Application column heading.
      • If user wish to automatically block new applications, they can select the "Block All Application %CATEGORY%" selection on top of the app list in each category.
    5. The selected applications are added to the Block Rule Settings list. Click Save.

      Block Rule Settings List

    6. Click OK.

      click OK

    7. Click Save.

      Click Save

  6. To block applications from the Gray Software List, follow the steps from 5a-5g. Make sure that from the Match method drop-down menu, Gray Software List is selected before clicking Manage Applications.

    make sure Gray Software List  is selected

  7. To block applications based from the File or Folder Paths:

    1. From the Application Control Rules, click + Add Rule and select Block.

      select Block

    2. Type in the rule name. From the Match method drop down menu, select File or folder paths then click Add.

      Select File or folder paths then click Add

    3. Specify the File or Folder path to block then click Add.

      Specify the file or folder

      For Example:

      • C:\Program Files (x86)\Notepad++\notepad++.exe
      • C:\Program Files (x86)\Adobe

      The following table lists the paths that you cannot use in Application Control.

      Path
      $programdir$\Trend Micro\Client Server Security Agent
      $programdirx86$\Trend Micro\Client Server Security Agent
      C:\Program Files\Trend Micro\Client Server Security Agent
      C:\Program Files (x86)\Trend Micro\Client Server Security Agent
      $programdir$\Trend Micro\BM
      $programdirx86$\Trend Micro\BM
      C:\Program Files\Trend Micro\BM
      C:\Program Files (x86)\Trend Micro\BM
      $programdir$\Trend Micro\WFBSSUpdater
      $programdirx86$\Trend Micro\WFBSSUpdater
      C:\Program Files\Trend Micro\WFBSSUpdater
      C:\Program Files (x86)\Trend Micro\WFBSSUpdater
      $programdir$\Trend Micro
      $programdirx86$\Trend Micro
      C:\Program Files\Trend Micro
      C:\Program Files (x86)\Trend Micro
       
      Wildcards are not supported.
    4. Click Save.

      Click Save

    5. Click OK.

      Click OK

       

    6. Click Save.

      Click Save

  8. To block applications based from the based Application’s File Hash.

    1. From the Application Control Rules, click + Add Rule and select Block.

      click Add Rule and select Block

    2. Type in the rule name. From the Match method drop down menu, select Hash values. .

      Select Hash values

    3. From the Input method, you have an option to manually add the hash value of an application to allow or block or by importing a CSV file using the import function.

      For Manual Input Method:

      1. Make sure that Manual is selected as the Input method then click + Add.

        Manual as Input method

      2. Type in the application’s file hash. Press enter as you enter each of the application’s file hash. Click Add.

        File Hash

        Optionally, provide a note regarding the reason to block the program.

      3. The application’s file hash is added to the File Hash List. Click Save.

        File Hash List

      4. Click OK.

      For Import Input Method:

      1. Make sure that Import is selected as the Input method then click Select File.

        Import

        1. Download the importFileHashSample.csv by clicking the CSV sample format link to know how to manually create a CSV file.

          Download CSV sample

          Download CSV sample

        2. Download the Hash Generator tool (Hash_Gen_Tool.zip) to obtain the hash values of all installed applications on an endpoint in CSV format. The ZIP file has a README.txt file which includes instructions on how to use the tool.

          Download the Hash Generator tool

          For more information, visit the WFBS-SVC online help section: Using the Hash Generator Tool.

      2. Once the CSV file is uploaded, click Save and follow the on-screen instructions.
 

Before locking down an endpoint, Application Control scans the endpoint and creates a complete application inventory. Only applications that already exist in the inventory can execute on the endpoint. During Lockdown, Application Control prevents the execution of upgrade or installation packages.

Depending on the user's environment, the inventory scan can take several hours to complete. Periodically check the Application Control status on the Security Agent console. The inventory scan might also affect endpoint performance. Plan cautiously before applying Lockdown to any server.

  1. Go to the Configure Policy screen by performing one of the following:

    • Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
    • Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
  2. Click on the Windows icon.

    Click the Windows icon

  3. On the left pane, under Access Control, click Application Control and enable Application Control.

    enable Application Control

  4. Make sure that Lockdown: Block all applications not identified during the last inventory scan is selected.

    Lockdown is selected

    By default, the option Exclude applications by Trend Micro trusted vendors (Recommended) is enabled when switching to Lockdown mode.

  5. Enable Exclude any process tree that originated from a Microsoft-signed program (including Windows Update).

    Enable Exclude any process tree

 

In order for the users to be able to perform Windows Update smoothly, the Lockdown mode feature has an option to exclude Microsoft-signed applications and processes which is disabled by default when enabling Lockdown mode. Trend Micro recommends to disable this option when Windows Update is complete in order for these Microsoft-signed filed to be blocked again since they're not on the inventory scan list.

exclude Microsoft-signed applications and processes option

Disabling the option to exclude Microsoft-signed applications and processes will result to some of the executable files being downloaded on the computer during Windows update to be blocked. This is because that these files were not on the computer when agent performed the inventory scan.

In order for these executable files to execute even after Windows Update, users should trigger another inventory scan. However, when inventory scan is re-triggered, the executable files which were not downloaded during the Windows update will be bypassed.

As a recommendation, users can consider the following:

  • Re-trigger inventory scan by switching Application Control policy to block mode then back to lockdown mode.

     
    Make sure that Security Agents will get the policy being applied first before switching back to mode.
  • If there are files that need to be blocked after re-triggering the inventory scan, users can apply block rules to block these PE files.

Application Control rules support Windows system variables in file or folder paths. The following table displays the variables supported by Worry-Free Business Security Services.

System VariableDescription
%APPDATA%Refers to the C:\Users\{current_user_account}\AppData\Roaming folder for the logon user.
%CommonProgramFiles%Refers to the C:\Program Files\Common Files folder.
%COMMONPROGRAMFILES(X86)%Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.
%LOCALAPPDATA%Refers to the C:\Users\{current_user_account}\AppData\Local folder for the logon user.
%ProgramData%Refers to the C:\ProgramData folder.
%PROGRAMFILES%

The Program Files folder.

A typical path is C:\Program Files.

%PROGRAMFILES(X86)%Refers to the C:\Program Files (x86) folder on 64-bit systems.
%SystemDrive%

Refers to the drive where the system folder locates.

A typical path is C:.

%SYSTEMROOT%

Refers to the root of the system drive.

A typical path is C:\Windows

%TEMP%Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user.
%TMP%Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user.
%USERPROFILE%

Refers to user’s profile folder.

A typical path is C:\Users\{current_user_account}

%WINDIR%

Refers to the Windows folder located on the system drive.

A typical path is C:\Windows

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; SPEC
Solution Id:
1118028
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.