This content has been marked as final. Show 7 replies
Logically, application blocking makes no sense to me.
If users can install applications, that means they have local admin in a lot of cases.
The question is do you want block applications, or prevent them from being installed at all?
Instead, I would use A/V policy to delete unwanted programs.
It is much easier to focus on what you want to deny, rather than what you want to allow based on corporate policy.
Application blocking will block all application and require manual additions of all running applications. It has been done but it's very tedious. Also once you have the rules defined you'll be practically freezing the workstation with its current configuration. For example any windows updates will not function. The only time we've implemented application blocking within HIPS is on publicly accessible KIOSK machines designed to do specific role such as web browsing etc.
There are two basic approaches with Application Blocking - whitelisting and blacklisting.
With whitelisting you're going to explcitly detail which applications are allowed to run and all others will be denied. This is a very powerful capability that can provide a lot of protection (McAfee uses this approach with their field sales and field SE machines) and keep the users from installing non-approved software. However, it's also a LOT of work and decisions have to be made such as "should we allow notepad.exe and if so, should we allow wordpad.exe". It's can be nearly possible to implement unless you're targeting a standardized host configuration.
At customer sites we tend to start with a blacklisting approach. We set all of the systems to adaptive mode to allow the running applications to be collected and populated back to EPO. Then in a review process we go through the applications and find the ones we don't want and move them into a policy. IMO, it's a much more reasonable way to start as you can get the HIPS client out on the workstations without 'breaking' any existing applications and then tighen up from there.
I thought application blocking blocked everything unless it was specifically allowed? Can you set it to black list instead of blocking everything?
You can set it up either way. As discussed previously, whitelisting (only allow specific applications) is very tedious to set up and works best for kiosk or "standard image" type configurations. I use blacklisting to eliminate applications that I just don't want running in our environment.
Sorry tried just blocking a single app and HIPs blocked everything. The black list approach doesn't work for me. How do actually set it up?
Enable adaptive mode and the remaining rules will be automatically written. You could also enable learn mode but it's very tedious to have to answer 'yes' to every prompt. With adaptive you let the system learn and then review what it has learned for additional exceptions.