Before a device enters a Lockdown Mode, the Security Agent will run an inventory scan to build a database that will contain the list of all existing applications and installed software that will be allowed to run.
When Lockdown Mode is enabled, an application is blocked due to the following reasons:
- The application is not found in the inventory scan database on the endpoint
- The application not in the Trusted Program List
- The application does not match any Allow criteria defined in the User-defined Rule table
- The application matches any Block criteria defined in the User-defined Rule table
Here are some scenarios where you need to manually adjust the policy setting and add corresponding Allow criteria when using the Lockdown Mode feature:
Some applications will extract a compressed file or download related executables. These executables will be launched during the installation or execution phase.
For this scenario, please select “Exclude applications by Trend Micro trusted vendors”. This option will automatically allow all applications that Trend Micro threat experts have determined come from trusted vendors.
Some executables do not have a valid certificate signature.
For this scenario, you can create a corresponding Certificate-based Allow criteria for these executables. For example, if the executable is issued by Trend Micro, you may add an Allow criteria with the following configuration:
Name: Allow Trend Micro
Trust Permission: Application can execute other processes
Match Method: Certificates
Use the following settings:
Specify certificate type: Trusted
Certificate Properties: Subject Name (CN) = Trend Micro*
When allowing Windows Update: Windows update is a very complex behavior in terms of process usage. There are three (3) main reasons why it is complex:
- Some endpoints installed with .NET framework or Windows Defender will trigger a different update package, compared to endpoints that are not installed with the aforementioned software.
- There are varying install packages from different Windows platforms. For example, Windows 7 and Window 10 will have a totally different update package even if they fix the same issue.
- If the endpoint is installed with a language package, the update package will be totally different, since the package is chosen according to the system language of the Windows platform.
In summary, Windows has several components and different approaches when it comes to updating its system, based on the platform/language/installed packages. To come up with only one Allow criteria that includes all the comprehensive applications is quite a challenge. For this, it is recommended to add File paths-based Allow criteria with the following configurations:
Name: Allow Windows Update
Trust Permission: Application can execute other processes.
Match Method: File paths
Use the following File paths setting:
Path: Specific path
Type: String
File path: C:\Windows\System32\wuauclt.exe
Also, to ensure that Microsoft Signed applications are trusted, create additional Certificates-based Allow criteria with the following configurations:
Name: Allow Microsoft App
Trust Permission: Application can execute other processes.
Match Method: Certificates
Use the following Certificates settings:
Specify certificate type: Trusted (valid or expired)
Certificate Properties:
(Subject Name (CN) AND Subject Organization = Microsoft Corporation) OR
(Issuer Organization (O) = Microsoft Corporation AND Issuer Name (CN) = Microsoft*)
Some applications are dependent on .NET to properly run. An allow rule is recommended with the following settings:
Name: Allow Microsoft NET
Trust Permission: Application cannot execute other processes.
Match Method: File Path
Use the following File paths setting:
Path: Specific path
Type: String
File path: C:\Windows\assembly\* and
C:\Windows\Microsoft.NET\*
After software maintenance, disable and re-enable Lockdown by switching between “Allow: All other applications can execute” and “Lockdown: Block all applications not identified during the last inventory scan” to trigger another inventory scan on the endpoint.
The following images show when Application Control is in Normal and Lockdown Modes:
- Application Control in Normal Mode:
- Application Control in Lockdown Mode:
To import Application Criteria from the console directly:
- Download the ApplicationControl_AllowCriteria_Lockdown.zip file.
- Launch the Apex Central console and go to Policies > Policy Resources > Application Control Criteria.
- Click Add Criteria and then select "Import".
- Browse for the downloaded zip file for importing.
- Deploy the Application Control criteria in the Apex One Security Agent Policy.
For more information about Apex One as a Service or any of our Trend Micro products, please visit our Online Help Center.