Set up Application Control

Application Control continuously monitors your server and logs an event whenever a software change occurs. It is not intended for environments with self-changing software or that normally creates executables, such as some web or mail servers. To ensure Application Control is appropriate for your environment, check What does Application Control detect as a software change?.

For information about how Application Control works, see About Application Control and Application Control Trust Entities.

Procedure

1. Turn on Application Control.
2. Monitor new and changed software.
3. Turn on maintenance mode when making planned changes.

What to do next

This article also provides Application Control tips and considerations that you should be aware of when working with Application Control.

• View and change Application Control rulesets
• Reset Application Control after too much software change
• Monitor Application Control events
• Use the API to create shared and global rulesets

Turn on Application Control

Procedure

1. Open the Computer or Policy editor and go to Application Control → General .
2. Set the to "On" or "Inherited (On)".
3. Under , select your targeted protection state:
   • (we recommend that you choose this option when initially setting up Application Control)
4. Click .

What to do next

The next time that Server & Workload Protection and the agent connect, the agent scans and then generates an inventory of all software installed on the computer and creates rules that allow all the software that it finds. This initial inventory can take 15 minutes or longer, depending on your environment.

To check that Application Control is working as expected, follow the instructions in Verify that Application Control is enabled.

Monitor new and changed software

Once an inventory has been created on a protected computer, any software executable files that are added or changed are classified as a "software change" and appear on the page in Server & Workload Protection . When unrecognized software runs, or attempts to run and is blocked, the event is listed under Events & Reports → Events → Application Control Events → Security Events . For more information, see Application Control events.

After you initially enable Application Control, you will likely see a lot of software changes on the page. This can happen when allowed software creates new executables, renames files, or relocates files through the normal course of operation. As you add rules to tune Application Control, you should see fewer software changes.

To quickly find all software changes on all computers and easily create allow or block rules for them, use the tab.

Tip

You can automate the creation of software ruleset allow or block rules using the Server & Workload Protection API. For more information, see Allow or block unrecognized software.

Procedure

1. In the Server & Workload Protection console, go to .

Tip

Instead of evaluating each software change on each computer individually, use the filters described below to find software changes that you know are good, and allow them in bulk.

From the drop-down list next to , select a time range such as . You can also click a bar in the graph near the top of the page to display the changes for that time period.

In the pane on the left, click and select an individual computer or group, or click to display only the computers that are included in a particular smart folder (see Group computers dynamically with smart folders).

Note

Unlike the tab, the pane usually does not show all computers. It only displays computers where Application Control has detected software changes that don't already have allow or block rules.

Enter search terms and operators in the search filter field. You search for these attributes: Change By Process, Change By User, File Name, Host Name, Install Path, MD5, SHA1, and SHA256. For example, you could find all changes made by a particular user that you trust and click to allow all of their changes. Or if a particular software update was installed across your organization (while maintenance mode was not enabled), filter the page according to the hash value of the file and click to allow all occurrences.

Tip

Details about a software change are displayed in the right pane. You can click the file name or computer name in the details to add it to your search filter.

What to do next

Tips for handling changes

• For most environments, we suggest that you select the option to allow software changes by default when you first enable Application Control and add allow and block rules for changes that you see on the page. Eventually, the rate of software changes should decrease. At that point, you could consider blocking software changes by default and creating allow rules for the software that you know is good. Some organizations prefer to continue to allow changes by default and monitor the page for software that should be blocked.
• You may prefer to start by evaluating security events, rather than dealing with unrecognized software first. Security events show you which unrecognized software has run (or attempted to run). For information on security events, see Monitor Application Control events.
• When an unrecognized file is allowed to execute and you want to continue to allow it, create an Allow rule. In addition to allowing the file's execution, the event is no longer logged for that file, which reduces noise and makes important events easier to find.
• When a known file's execution is blocked, consider cleaning that file from the computer, especially for repeated occurrences.
• Keep in mind that software changes are listed for each computer where they occur. You must allow or block the software for each computer.
• Rules are assigned to computers, not to policies. For example, if helloworld.py is detected on three computers, when you click or , this would affect only three computers. It won't affect future detections on other computers, because they have their own rulesets.
• If you see changes related to software updates that you can control, use the maintenance mode feature when performing those updates. See Turn on maintenance mode when making planned changes.
• Do not run Application Control in lockdown mode on computers and servers that have automatic updates enabled.

Turn on maintenance mode when making planned changes

When you install patches, upgrade software, or deploy web applications, Application Control will detect them. Depending on your setting for how to handle unrecognized software, this could block that software until you use the tab to create allow rules.

To avoid extra down time and alerts during deployment and maintenance windows, you can put Application Control into a mode designed for maintenance windows. While maintenance mode is enabled, Application Control will continue to block software that is specifically blocked by an Application Control rule, but it will allow new or updated software to run and automatically add it to the computer's inventory.

Tip

You can automate maintenance mode using the Server & Workload Protection API. For more information, see the Configure maintenance mode during upgrades guide.

Procedure

1. In the Server & Workload Protection console, go to .

Maintenance mode will automatically disable itself when your maintenance window is scheduled to end. Alternatively, if you'd prefer to manually disable maintenance mode when updates are finished, select .

What to do next

Application Control tips and considerations

• For better performance with Application Control, use Server & Workload Protection anti-malware instead of Windows Defender. See Ensure that Windows Defender is fully disabled after installation of the Anti-Malware module on Windows Server 2016.
• If you create a block rule for a batch file or PowerShell script, you will not be able to copy, move, or rename the file when using its associated interpreter (powershell.exe for PowerShell scripts or cmd.exe for batch files).
• If you add an allow or block rule, it is normally sent to the agent the next time the agent connects to Server & Workload Protection . If you see an error saying that the ruleset upload was not successful, verify that network devices between the agent and Server & Workload Protection or relay allow communications on the heartbeat port number or relay port numbers.
• To verify that a block rule is working, try to run the software that you just blocked. (For details on how the agent detects changes, see What does Application Control detect as a software change?)
• When blocked software remains installed, Application Control continues to record logs and show alerts when it blocks the software from running. To reduce the permission error logs on the computer and also reduce your attack surface, uninstall the software that Application Control is blocking. Once that is done, if you want to dismiss related alerts, either go to or go to , click the alert, and then click . Not all alerts can be dismissed. For more information, see Predefined alert definitions.
• For performance reasons, if the computer has too much software change, Application Control will continue to enforce existing rules, but stop detecting and displaying software changes. To resolve this, see Reset Application Control after too much software change.