I imported the rule set "Application Control" from the library. It has two sub rule sets:
- Block Applications in Request Cycle
- Block Applications in Response Cycle
This makes me kind of curious: if I add applications to an application block list: do I have to run this check in the request or in the response cycle (or in both)? If there is a difference between some applications: how would I tell them apart?
The system list "Application Name" is obviously a McAfee maintained one. The list "List of Applications to Search for in Response Cycle" from the imported rule set is customer maintained. How would I know if I need to add a new application to one or the other cycle?
Ok, these questions let me think that for now I will check for the application in both cycles, just to be on the safe side. Would that be too costly?
Where in the rule tree would I locate Application filtering?