The following two (2) Application Events can lead to False Alarms:
- Software Updates
Allowed applications will eventually update, replacing old binaries to new ones. When this happens, the allowed application can fall to existing applicable Block criteria.
- File Access to other applications not in the Allow criteria
Some software installations include “Packed Files” that are unpacked and loaded during installation. If these unpacked applications are not in any of the Allow criteria, they can be denied from executing, resulting in failed installation of that software.
The following are steps that you can do when mitigating False Alarm detections related to the Apex One Application Control feature:
Administrators can use Apex Central Logs Query and Application Control Widgets to identify applications with False Alarm detections. To do this:
- Detection Logs
- Log on to the Apex Central console and go to Detections > Logs > Log Query.
- Change the Security Logs to “Application Control Violations”.
- Select the time range (e.g. 24 hours) and click the Search button.
- Use Advanced Search to narrow down the list of displayed logs.
- Use the Customize Columns to add/remove columns and help you easily identify False Alarm applications.
- Export the result as CSV to easily filter the result in a spreadsheet.
- Log on to the Apex Central console and go to Dashboard.
- Click + to add a new tab.
- Add the “Top Violated Application Criteria” and “Top Blocked Applications” widgets.
After successfully identifying allowed applications with False Alarm, Administrator can fine-tune the Application Control policy by adding or editing existing Allow criteria to enable blocked applications to run. To do this:
- Configure Allow criteria.
- If the Allow criteria is using the Certified Safe Software List Match Method, make sure to include all the version of the allowed application. For instance, if you intend to allow OfficeScan Agent and all future releases, tick the checkbox beside the Trend Micro OfficeScan Agent application name.
- Configure the Allow criteria with Trust permission set to at least “Application can execute other processes” trust level.
To instantly allow the False Alarm application(s), add an Allow criteria with a “Hash values” Match Method to manually add SHA-1 or SHA-256 hash values of the blocked application.
Reference: Defining Allowed Application Criteria
- Deploy Allow Criteria:
- Log on to the Apex Central console and go to Policies > Policy Management.
- Select Product "Apex One Security Agent".
- Edit the Policy with Application Control enabled.
- Expand the Application Control Settings and click the corresponding User Account to assign the newly created Allow Criteria.
- Click Deploy.
For assistance, please contact Trend Micro Technical Support.