Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Using the Application Control Lockdown feature in Apex One™ as a Service

    • Updated:
    • 18 Mar 2019
    • Product/Version:
    • Apex One as a Service
    • Apex One as a Service All.All
    • Platform:
    • N/A N/A
Summary

This article discusses Apex One™ Application Control best practices and recommendations when using the Lockdown feature.

Details
Public

Before a device enters a Lockdown Mode, the Security Agent will run an inventory scan to build a database that will contain the list of all existing applications and installed software that will be allowed to run.

When Lockdown Mode is enabled, an application is blocked due to the following reasons:

  • The application is not found in the inventory scan database on the endpoint
  • The application not in the Trusted Program List
  • The application does not match any Allow criteria defined in the User-defined Rule table
  • The application matches any Block criteria defined in the User-defined Rule table

Application Control

Here are some scenarios where you need to manually adjust the policy setting and add corresponding Allow criteria when using the Lockdown Mode feature:

Some applications will extract a compressed file or download related executables. These executables will be launched during the installation or execution phase.

For this scenario, please select “Exclude applications by Trend Micro trusted vendors”. This option will automatically allow all applications that Trend Micro threat experts have determined come from trusted vendors.

Application Control

Some executables do not have a valid certificate signature.

For this scenario, you can create a corresponding Certificate-based Allow criteria for these executables. For example, if the executable is issued by Trend Micro, you may add an Allow criteria with the following configuration:

Name: Allow Trend Micro
Trust Permission: Application can execute other processes
Match Method: Certificates

Use the following settings:

Specify certificate type: Trusted
Certificate Properties: Subject Name (CN) = Trend Micro*

Application Control

When allowing Windows Update: Windows update is a very complex behavior in terms of process usage. There are three (3) main reasons why it is complex:

  • Some endpoints installed with .NET framework or Windows Defender will trigger a different update package, compared to endpoints that are not installed with the aforementioned software.
  • There are varying install packages from different Windows platforms. For example, Windows 7 and Window 10 will have a totally different update package even if they fix the same issue.
  • If the endpoint is installed with a language package, the update package will be totally different, since the package is chosen according to the system language of the Windows platform.

In summary, Windows has several components and different approaches when it comes to updating its system, based on the platform/language/installed packages. To come up with only one Allow criteria that includes all the comprehensive applications is quite a challenge. For this, it is recommended to add File paths-based Allow criteria with the following configurations:

Name: Allow Windows Update
Trust Permission: Application can execute other processes.
Match Method: File paths

Use the following File paths setting:

Path: Specific path
Type: String
File path: C:\Windows\System32\wuauclt.exe

Application Control

Also, to ensure that Microsoft Signed applications are trusted, create additional Certificates-based Allow criteria with the following configurations:

Name: Allow Microsoft App
Trust Permission: Application can execute other processes.
Match Method: Certificates

Use the following Certificates settings:

Specify certificate type: Trusted (valid or expired)
Certificate Properties:
(Subject Name (CN) AND Subject Organization = Microsoft Corporation) OR
(Issuer Organization (O) = Microsoft Corporation AND Issuer Name (CN) = Microsoft*)

Application Control

 
The Certificates-based Allow criteria can allow unapproved software installations during Lockdown. That is why it is highly recommended to ONLY enable the above policy during the software maintenance period and disable it after, to ensure that the endpoints will comply with the strict Lockdown policy.

After software maintenance, disable and re-enable Lockdown by switching between “Allow: All other applications can execute” and “Lockdown: Block all applications not identified during the last inventory scan” to trigger another inventory scan on the endpoint.

The following images show when Application Control is in Normal and Lockdown Modes:

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1122134
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.