5 Replies Latest reply on Jan 6, 2015 8:06 PM by Haaris Faizan

    Best way to allow application for upgrade

    Haaris Faizan

      Hi Everyone,

       

      In my environment one of the server is solidified with application control 6.1.3.A request came in which the user wants to upgrade the CA client  IT Manager application from version 12.5 to 12.8.

      So, its being blocked by application control when user tries for upgrade.I checked policy discovery & all those files are showing which is being blocked.So,what I did is selected one of the files & select the option Allow by publisher globally for which I have attached the screenshot & user was able to upgrade the application without any problem.

       

      What I want to know is that:-

      1)What is the best/recommended possible way to allow the upgrade of application,Is the way I allowed is OK???

      2)In the attached screenshot Expiration date is showing as March 1,2015.Will the application will be blocked after that or what will b the consequences??

       

      Global.jpg

        • 1. Re: Best way to allow application for upgrade
          Haaris Faizan

          Please reply anyone???

          • 2. Re: Best way to allow application for upgrade

            1)What is the best/recommended possible way to allow the upgrade of application,Is the way I allowed is OK???

            >Yes

            2)In the attached screenshot Expiration date is showing as March 1,2015.Will the application will be blocked after that or what will b the consequences??

            >No, even though the certificate is expired, it is still valid. So the trust polices will continue to be in effect.

            • 3. Re: Best way to allow application for upgrade
              Haaris Faizan

              Is the way I allowed it the best possible way??

              • 4. Re: Best way to allow application for upgrade
                Regis

                Hi Haaris,   if you trust the publisher's wares for all the computers  under that policy's purview,  and that their cert hasn't been stolen to sign malware (which has happened to at most a handful of publishers), then what you've done is perfectly reasonable.   I use publisher trusts in many circumstances like this.

                 

                You could be more surgical if you like.  If this is just for one workstation, you could put the workstation into update mode with begin update mode, and then do the upgrade, then end update mode.   That would allow any updates between those two times to be allowed.   This may be "better" in some circumstances.

                 

                Or you could designate the installer as an updater in which case the installation program would be allowed to do changes to other programs on all the systems in policy.

                 

                I believe those are your options for this situation.

                 

                I agree with your tacit lament that this product doesn't yet do much with publisher certificates.  I think I've put in a PER to include  revocation list checking for publisher certs and for the ability to make policy decisions on whether to allow things with expired certs to run.  

                • 5. Re: Best way to allow application for upgrade
                  Haaris Faizan

                  Thanks for the knowledge sharing & your ideas!!!

                   

                  Actually,Upgradation was to be done o 14 workstations ,so I allowed it by publisher..

                   

                  thanks for the update....