Prevent File Execution with Application Control
Application Control is an optional feature on Windows machines that allows you to block the execution of specifically marked malicious files on any endpoint on which Application Control is enabled. When remediating MalOps, you have the option to prevent associated malicious files from running on the machines on which they were found using Application Control.
In this topic:
Application Control is supported on specific Windows operating systems (see Endpoint machine prevention features for a list).
How Application Control works
When you enable Application Control and you mark an item for prevention, Application Control prevents executables or modules (.exe and .dll files) from executing, based on their MD5 or SHA-1/SHA-256 file hash.
Specifically, the Cybereason platform performs the following actions:
All machines on which the item already exists immediately prevent the item from executing.
The Cybereason platform sends the hashes for the marked item to all the endpoints in the organization on which Application Control is enabled.
Note
Application Control is not supported on endpoints with Cluster Shared Volume (CSV).
The Cybereason platform adds every hash marked for prevention to the blocklist.
The Cybereason platform generates an Endpoint Protection MalOp of type App Control when the hash is prevented in the future.
Important
Be careful not to mark critical applications such as cmd.exe, explorer.exe, and PowerShell for prevention. If you do choose to prevent critical applications, note that legitimate processes may be prevented as well.
Enable Application Control
You enable Application Control through Sensor Policies or by using installation parameters.
Note
Installation parameter settings override policy settings for that sensor.
Enable in a sensor policy (recommended):
In a sensor policy, in the App Control screen, enable Application Control.
Enable in installation parameters:
When you install a sensor, you can enable or disable Application Control with the AP_APP_CTRL command line parameter as follows:
AP_APP_CTRL value |
Description |
|---|---|
1 |
Enable Application Control |
2 |
Disable Application Control. (Default) |
Mark files for prevention
Analysts can mark executables or modules for prevention using one or more of the following methods:
Location |
How to prevent |
|---|---|
Malops management screen |
|
Malop details screen |
|
Investigation screen |
|
Reputation screen |
Add a new reputation using the Add option or update the CSV file containing reputation information. |
To stop prevention later, use the Investigation screen to locate the item you prevented. From the item’s Element Details pane, click the Prevention button and select Stop preventing.
View prevention details
You can run queries or filter to find specific items on which Application Prevention was applied.
In the details for the prevented items, the items that you want to prevent have a Marked for prevention designation. The next time a file that has that hash tries to execute, the Cybereason platform will prevent the file from executing.
Also, you can see how many items that are related to this file hash have already attempted to execute and were blocked. This appears under the label Prevented successfully.
Information about the items that were prevented from execution is available in the following Cybereason UI screens:
Reputation screen
Investigation screen
In addition, you can use the Export to CSV action from the System > Sensors screen to download a CSV file that lists the endpoints in your organization. When you download the list of sensors in your organization, view the status of Application Control on the machines.