Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mitigating False Alarm Detections in Apex One Application Control

    • Updated:
    • 19 Mar 2019
    • Product/Version:
    • Apex One All.All
    • Platform:
    • N/A N/A
Summary

The following two (2) Application Events can lead to False Alarms:

  • Software Updates

    Allowed applications will eventually update, replacing old binaries to new ones. When this happens, the allowed application can fall to existing applicable Block criteria.

  • File Access to other applications not in the Allow criteria

    Some software installations include “Packed Files” that are unpacked and loaded during installation. If these unpacked applications are not in any of the Allow criteria, they can be denied from executing, resulting in failed installation of that software.

    Apex One Application Control

Details
Public

The following are steps that you can do when mitigating False Alarm detections related to the Apex One Application Control feature:

Administrators can use Apex Central Logs Query and Application Control Widgets to identify applications with False Alarm detections. To do this:

  • Detection Logs
    1. Log on to the Apex Central console and go to Detections > Logs > Log Query.
    2. Change the Security Logs to “Application Control Violations”.
    3. Select the time range (e.g. 24 hours) and click the Search button.
     
    • Use Advanced Search to narrow down the list of displayed logs.
    • Use the Customize Columns to add/remove columns and help you easily identify False Alarm applications.
    • Export the result as CSV to easily filter the result in a spreadsheet.
  • Dashboard
    1. Log on to the Apex Central console and go to Dashboard.
    2. Click + to add a new tab.
    3. Add the “Top Violated Application Criteria” and “Top Blocked Applications” widgets.

After successfully identifying allowed applications with False Alarm, Administrator can fine-tune the Application Control policy by adding or editing existing Allow criteria to enable blocked applications to run. To do this:

  1. Configure Allow criteria.
    • If the Allow criteria is using the Certified Safe Software List Match Method, make sure to include all the version of the allowed application. For instance, if you intend to allow OfficeScan Agent and all future releases, tick the checkbox beside the Trend Micro OfficeScan Agent application name.

      Apex One Application Control

    • Configure the Allow criteria with Trust permission set to at least “Application can execute other processes” trust level.

      Apex One Application Control

     

    To instantly allow the False Alarm application(s), add an Allow criteria with a “Hash values” Match Method to manually add SHA-1 or SHA-256 hash values of the blocked application.

    Apex One Application Control

    Reference: Defining Allowed Application Criteria

  2. Deploy Allow Criteria:
    1. Log on to the Apex Central console and go to Policies > Policy Management.
    2. Select Product "Apex One Security Agent".
    3. Edit the Policy with Application Control enabled.
    4. Expand the Application Control Settings and click the corresponding User Account to assign the newly created Allow Criteria.
    5. Click Deploy.

For assistance, please contact Trend Micro Technical Support.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1122216
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Related Articles