2 Replies Latest reply on Feb 22, 2011 11:00 AM by aacordoba

    How can I know if a process is valid or not?


      Hi Guys,


      Im in a very big implementation of Application Control, now we are testing the application in some pilot users, but I see a few events in ePO regarding to execution denied, but how can I know if the process are valid or not?


      For example (see attached image) process.PNG


      How can I  know if this is a valid process?

      Also I see HIPS drivers, and print drivers being blocked, for example I know that this is valid execution, but this kind of execution I have no idea.

      Any advice?



        • 1. How can I know if a process is valid or not?

          Identifying valid processes especially for the implementation of the Application Control is surely a huge pain in the A**!!


          This would be a lot easier if your company has implemented Active Directory and absolutely standardized all used applications (unlike ours)


          You will have to perform a lot of tests especially if you will do the whitelisting like considering process dependencies and so on...


          If you don't you may find yourself bombarded with calls from your Software deployment team (because they cannot push apps anymore) or from your


          development team (because they cannot run their homegrown apps anymore) or from several VIPs where they cannot sync their super expensive phones


          onto their laptops.



          Before implementing it with your pilot users, i suggest creating a "lab" first with at least 3-5 workstations (preferrably in different platforms) simulating your current infrastructure. Also create a simulation of your current servers with application control where you will "test" all your policies and see from there any applications or processes that isn't supposed to be blocked and with all the data you will gather from the "lab" test. That is the time where you could deploy it to pilot users in production.

          • 2. How can I know if a process is valid or not?

            Great answer darkshyre


            Yes I ran this solution over a test computers in a LAB and now Im testing in production users (pilot).

            And this event I only see it in a particular user.


            I think that I need to review this process in more specific way, waht I don't want to do is create a lot of polcies and a lot of updaters, and binary allowed becouse at the end of the day this solution wil be doing nothing becouse all is excluded.


            I thinks that a lot of this work is about commond sense and see if the updater is really necesarry or not.


            Thanks for your time,