Views:

Block Mode

Block Mode uses the kernel-level blocking method to block applications before execution on your corporate endpoints. Kernel-level blocking prevents applications from starting by blocking file access. This provides greater security, but may unexpectedly block or momentarily delay access to certain files needed by allowed applications.

Go to the Configure Policy screen by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
In the Configure Policy page, click on the Windows icon.
On the left pane, under Access Control, click Application Control and enable Application Control.
Make sure that Block: Block specified applications from executing on endpoints is selected then click + Assign Rules.

For Block Mode, a rule has to be assigned first, otherwise, the feature will not be enabled upon clicking Save. The following Error message will be encountered.
To block applications from the Certified Safe Software List:
1. From the Application Control Rules window, click + Add Rule and select Block.
2. Type in the rule name. Select Application Reputation List from the Match method: drop-down menu then click Manage Applications.
3. On the left pane, select a category.
4. On the right pane, select the applications to block then click OK.
  - Trend Micro updates the Trend Micro Application Reputation List periodically to include new applications.
  - To block all applications within a category, select the Application column heading.
  - If user wish to automatically block new applications, they can select the "Block All Application %CATEGORY%" selection on top of the app list in each category.
5. The selected applications are added to the Block Rule Settings list. Click Save.
6. Click OK.
7. Click Save.
To block applications from the Gray Software List, follow the steps from 5a-5g. Make sure that from the Match method drop-down menu, Gray Software List is selected before clicking Manage Applications.

To block applications based from the File or Folder Paths:

From the Application Control Rules, click + Add Rule and select Block.
Type in the rule name. From the Match method drop down menu, select File or folder paths then click Add.

Specify the File or Folder path to block then click Add.

For Example:

C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files (x86)\Adobe

The following table lists the paths that you cannot use in Application Control.

Path
$programdir$\Trend Micro\Client Server Security Agent
$programdirx86$\Trend Micro\Client Server Security Agent
C:\Program Files\Trend Micro\Client Server Security Agent
C:\Program Files (x86)\Trend Micro\Client Server Security Agent
$programdir$\Trend Micro\BM
$programdirx86$\Trend Micro\BM
C:\Program Files\Trend Micro\BM
C:\Program Files (x86)\Trend Micro\BM
$programdir$\Trend Micro\WFBSSUpdater
$programdirx86$\Trend Micro\WFBSSUpdater
C:\Program Files\Trend Micro\WFBSSUpdater
C:\Program Files (x86)\Trend Micro\WFBSSUpdater
$programdir$\Trend Micro
$programdirx86$\Trend Micro
C:\Program Files\Trend Micro
C:\Program Files (x86)\Trend Micro

Wildcards are not supported.

Click Save.
Click OK.
Click Save.

To block applications based from the based Application’s File Hash.
1. From the Application Control Rules, click + Add Rule and select Block.
2. Type in the rule name. From the Match method drop down menu, select Hash values. .
3. From the Input method, you have an option to manually add the hash value of an application to allow or block or by importing a CSV file using the import function.
  
  For Manual Input Method:
  1. Make sure that Manual is selected as the Input method then click + Add.
  2. Type in the application’s file hash. Press enter as you enter each of the application’s file hash. Click Add.
    
    Optionally, provide a note regarding the reason to block the program.
  3. The application’s file hash is added to the File Hash List. Click Save.
  4. Click OK.
  For Import Input Method:
  1. Make sure that Import is selected as the Input method then click Select File.
    1. Download the importFileHashSample.csv by clicking the CSV sample format link to know how to manually create a CSV file.
    2. Download the Hash Generator tool (Hash_Gen_Tool.zip) to obtain the hash values of all installed applications on an endpoint in CSV format. The ZIP file has a README.txt file which includes instructions on how to use the tool.
      
      For more information, visit the WFBS-SVC online help section: Using the Hash Generator Tool.
  2. Once the CSV file is uploaded, click Save and follow the on-screen instructions.

Lockdown Mode

Before locking down an endpoint, Application Control scans the endpoint and creates a complete application inventory. Only applications that already exist in the inventory can execute on the endpoint. During Lockdown, Application Control prevents the execution of upgrade or installation packages.

Depending on the user's environment, the inventory scan can take several hours to complete. Periodically check the Application Control status on the Security Agent console. The inventory scan might also affect endpoint performance. Plan cautiously before applying Lockdown to any server.

Go to the Configure Policy screen by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
Click on the Windows icon.
On the left pane, under Access Control, click Application Control and enable Application Control.
Make sure that Lockdown: Block all applications not identified during the last inventory scan is selected.

By default, the option Exclude applications by Trend Micro trusted vendors (Recommended) is enabled when switching to Lockdown mode.
Enable Exclude any process tree that originated from a Microsoft-signed program (including Windows Update).

In order for the users to be able to perform Windows Update smoothly, the Lockdown mode feature has an option to exclude Microsoft-signed applications and processes which is disabled by default when enabling Lockdown mode. Trend Micro recommends to disable this option when Windows Update is complete in order for these Microsoft-signed filed to be blocked again since they're not on the inventory scan list.

Disabling the option to exclude Microsoft-signed applications and processes will result to some of the executable files being downloaded on the computer during Windows update to be blocked. This is because that these files were not on the computer when agent performed the inventory scan.

In order for these executable files to execute even after Windows Update, users should trigger another inventory scan. However, when inventory scan is re-triggered, the executable files which were not downloaded during the Windows update will be bypassed.

As a recommendation, users can consider the following:

Re-trigger inventory scan by switching Application Control policy to block mode then back to lockdown mode.

Make sure that Security Agents will get the policy being applied first before switching back to mode.
If there are files that need to be blocked after re-triggering the inventory scan, users can apply block rules to block these PE files.

Supported System Variables

Application Control rules support Windows system variables in file or folder paths. The following table displays the variables supported by Worry-Free Business Security Services.

System Variable	Description
%APPDATA%	Refers to the C:\Users\{current_user_account}\AppData\Roaming folder for the logon user.
%CommonProgramFiles%	Refers to the C:\Program Files\Common Files folder.
%COMMONPROGRAMFILES(X86)%	Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.
%LOCALAPPDATA%	Refers to the C:\Users\{current_user_account}\AppData\Local folder for the logon user.
%ProgramData%	Refers to the C:\ProgramData folder.
%PROGRAMFILES%	The Program Files folder. A typical path is C:\Program Files.
%PROGRAMFILES(X86)%	Refers to the C:\Program Files (x86) folder on 64-bit systems.
%SystemDrive%	Refers to the drive where the system folder locates. A typical path is C:.
%SYSTEMROOT%	Refers to the root of the system drive. A typical path is C:\Windows
%TEMP%	Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user.
%TMP%	Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user.
%USERPROFILE%	Refers to user’s profile folder. A typical path is C:\Users\{current_user_account}
%WINDIR%	Refers to the Windows folder located on the system drive. A typical path is C:\Windows

If you're having problems with applications being blocked, Application Control is one of the features that could be the cause. Make sure you've configured it correctly.

Keywords: application control,app control,Trend Micro Certified Safe Software List ,Trend Micro Certified Safe Software,tmcss,environment variable,environment variables,manage applications,blocked path

How to Configure Application Control in Worry-Free Business Security Services (WFBS-SVC)

Product / Version includes:

Worry-Free Business Security StandardAll , Worry-Free Business Security AdvancedAll

Last updated: 2024/08/30

Solution ID: KA-0007714

Category: SPEC , Configure , Troubleshoot

Summary

Worry-Free Business Security Services Application Control feature allows the prevention of applications, regardless of their file extensions, from being executed.

The default mode for Application Control is Block. This mode blocks all applications specified by the Application Control rules unless if they are added to the Application Control whitelist. The Application Control is capable of targeting Safe Applications from the Trend Micro Certified Safe Software List, File and Folder Paths, Hash Values, and Gray Applications.

With Worry-Free Business Security Services 6.6, Trend Micro Application Control Service is introduced which is the standalone module that is capable of providing rule-based policy matching. With the introduction of this service, the Lockdown mode is made available as well. In this mode, an Inventory Scan is performed to calculate and record the SHA256 values of all applications installed on the endpoint. Any application that is not included on the list will be blocked.

Follow the steps in this article to configure Application Control in WFBS-SVC.

EXPAND ALL

Block Mode

Go to the Configure Policy screen by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
In the Configure Policy page, click on the Windows icon.
On the left pane, under Access Control, click Application Control and enable Application Control.
Make sure that Block: Block specified applications from executing on endpoints is selected then click + Assign Rules.

For Block Mode, a rule has to be assigned first, otherwise, the feature will not be enabled upon clicking Save. The following Error message will be encountered.
To block applications from the Certified Safe Software List:
1. From the Application Control Rules window, click + Add Rule and select Block.
2. Type in the rule name. Select Application Reputation List from the Match method: drop-down menu then click Manage Applications.
3. On the left pane, select a category.
4. On the right pane, select the applications to block then click OK.
  - Trend Micro updates the Trend Micro Application Reputation List periodically to include new applications.
  - To block all applications within a category, select the Application column heading.
  - If user wish to automatically block new applications, they can select the "Block All Application %CATEGORY%" selection on top of the app list in each category.
5. The selected applications are added to the Block Rule Settings list. Click Save.
6. Click OK.
7. Click Save.
To block applications from the Gray Software List, follow the steps from 5a-5g. Make sure that from the Match method drop-down menu, Gray Software List is selected before clicking Manage Applications.

To block applications based from the File or Folder Paths:

From the Application Control Rules, click + Add Rule and select Block.
Type in the rule name. From the Match method drop down menu, select File or folder paths then click Add.

Specify the File or Folder path to block then click Add.

For Example:

C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files (x86)\Adobe

The following table lists the paths that you cannot use in Application Control.

Path
$programdir$\Trend Micro\Client Server Security Agent
$programdirx86$\Trend Micro\Client Server Security Agent
C:\Program Files\Trend Micro\Client Server Security Agent
C:\Program Files (x86)\Trend Micro\Client Server Security Agent
$programdir$\Trend Micro\BM
$programdirx86$\Trend Micro\BM
C:\Program Files\Trend Micro\BM
C:\Program Files (x86)\Trend Micro\BM
$programdir$\Trend Micro\WFBSSUpdater
$programdirx86$\Trend Micro\WFBSSUpdater
C:\Program Files\Trend Micro\WFBSSUpdater
C:\Program Files (x86)\Trend Micro\WFBSSUpdater
$programdir$\Trend Micro
$programdirx86$\Trend Micro
C:\Program Files\Trend Micro
C:\Program Files (x86)\Trend Micro

Wildcards are not supported.

Click Save.
Click OK.
Click Save.

To block applications based from the based Application’s File Hash.
1. From the Application Control Rules, click + Add Rule and select Block.
2. Type in the rule name. From the Match method drop down menu, select Hash values. .
3. From the Input method, you have an option to manually add the hash value of an application to allow or block or by importing a CSV file using the import function.
  
  For Manual Input Method:
  1. Make sure that Manual is selected as the Input method then click + Add.
  2. Type in the application’s file hash. Press enter as you enter each of the application’s file hash. Click Add.
    
    Optionally, provide a note regarding the reason to block the program.
  3. The application’s file hash is added to the File Hash List. Click Save.
  4. Click OK.
  For Import Input Method:
  1. Make sure that Import is selected as the Input method then click Select File.
    1. Download the importFileHashSample.csv by clicking the CSV sample format link to know how to manually create a CSV file.
    2. Download the Hash Generator tool (Hash_Gen_Tool.zip) to obtain the hash values of all installed applications on an endpoint in CSV format. The ZIP file has a README.txt file which includes instructions on how to use the tool.
      
      For more information, visit the WFBS-SVC online help section: Using the Hash Generator Tool.
  2. Once the CSV file is uploaded, click Save and follow the on-screen instructions.

Lockdown Mode

Go to the Configure Policy screen by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
Click on the Windows icon.
On the left pane, under Access Control, click Application Control and enable Application Control.
Make sure that Lockdown: Block all applications not identified during the last inventory scan is selected.

By default, the option Exclude applications by Trend Micro trusted vendors (Recommended) is enabled when switching to Lockdown mode.
Enable Exclude any process tree that originated from a Microsoft-signed program (including Windows Update).

As a recommendation, users can consider the following:

Re-trigger inventory scan by switching Application Control policy to block mode then back to lockdown mode.

Make sure that Security Agents will get the policy being applied first before switching back to mode.
If there are files that need to be blocked after re-triggering the inventory scan, users can apply block rules to block these PE files.

Supported System Variables

Application Control rules support Windows system variables in file or folder paths. The following table displays the variables supported by Worry-Free Business Security Services.

System Variable	Description
%APPDATA%	Refers to the C:\Users\{current_user_account}\AppData\Roaming folder for the logon user.
%CommonProgramFiles%	Refers to the C:\Program Files\Common Files folder.
%COMMONPROGRAMFILES(X86)%	Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.
%LOCALAPPDATA%	Refers to the C:\Users\{current_user_account}\AppData\Local folder for the logon user.
%ProgramData%	Refers to the C:\ProgramData folder.
%PROGRAMFILES%	The Program Files folder. A typical path is C:\Program Files.
%PROGRAMFILES(X86)%	Refers to the C:\Program Files (x86) folder on 64-bit systems.
%SystemDrive%	Refers to the drive where the system folder locates. A typical path is C:.
%SYSTEMROOT%	Refers to the root of the system drive. A typical path is C:\Windows
%TEMP%	Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user.
%TMP%	Refers to the C:\Users\{current_user_account}\AppData\Local\Temp folder for the logon user.
%USERPROFILE%	Refers to user’s profile folder. A typical path is C:\Users\{current_user_account}
%WINDIR%	Refers to the Windows folder located on the system drive. A typical path is C:\Windows

If you're having problems with applications being blocked, Application Control is one of the features that could be the cause. Make sure you've configured it correctly.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

How to Configure Application Control in Worry-Free Business Security Services (WFBS-SVC)

Block Mode

Lockdown Mode

Supported System Variables

How to Configure Application Control in Worry-Free Business Security Services (WFBS-SVC)

Product / Version includes:

Summary

Block Mode

Lockdown Mode

Supported System Variables