Getting started with Application Control

Application Control is a powerful solution that lets you control the launch of applications on your devices. With Application Control, you can control and manage the use of unwanted and unauthorized applications in your environment.
You can use the
Quick Setup > App Control
interactive steps to help you test and run Application Control.
Application Control overview
With Application Control, you designate a list of applications that are allowed to run. Only applications on the allowed list can run. You can also block a list of applications. Typically, you test your policy rules by running the policy in monitor mode first.
By default, Application Control policies are not applied automatically. You must apply an Application Control policy manually to your device groups.
After you test your rules, you might let users launch certain applications that are not on the allowed list or blocked list. Also, you can designate trusted updaters that can run some applications that are not on the allowed list or blocked list. Both user overrides and trusted updaters can cause your policy rules to look different from what is running in your environment. The difference between the two is called drift.
Symantec-signed applications and Windows operating system applications are automatically added to the allowed list.
What is the Application Control rule precedence?
  • Policy block rules
  • Local allow rules (generated by user overrides and trusted updaters)
  • Policy allow rules
The local allow list permits the applications and files that are allowed by user overrides or trusted updaters to run only on the local device.
If you use Application Isolation, the isolation policies interact with Application Control. See:
Step 1: Review Application Control requirements.
You must have the Application Hardening feature installed on your devices.
Application Hardening is included in cloud-deployed client software for
Symantec Endpoint Security
If you use an enrolled
Symantec Endpoint Protection Manager
, the Symantec Agent installation package for 14 RU1 and later includes Application Hardening by default when you create a client installation package with full protection. See:
Step 2: View the applications in your environment.
  1. You can see all the applications that are currently running in your environment.
  2. Go to
    Discovered Items > Applications
    . See:
Step 3: Configure an Application Control policy.
A default Application Control policy is available in the cloud console. By default, the policy is not applied to any devices or device groups.
You can apply an Application Control policy to selected device groups in
Monitor Only
mode so you can observe how the policy works in your environment before you enforce it.
You can use the default policy or create another policy that is based on the defaults.
You cannot apply an Application Control policy that has no rules. You also cannot apply an Application Control policy that contains only Block rules.
More information
Step 4: Designate Trusted Updaters.
Typically, you want to allow trusted software updates to run smoothly in your environment. You configure trusted updaters to make sure that Application Control does not interfere with these types of updates.
You configure trusted updaters in a separate Trusted Updaters policy. See:
Step 5: Check the Application Control events and reports.
Application Control generates events and includes reports to help you tune your policies.
  • Events
    Go to
    Investigate
    . Under
    Quick Filters > Security Technology Detections,
    select the
    App Control
    filter.
    You can filter events on items such as user overrides and particular detections such as host process detections. See:
  • Reports
    Go to
    Reports and Templates > Report Templates
    . You can generate a Drift Analysis Report or a Blocked Applications Report.
Step 6: Enforce the Application Control policy.
Initially, you should enforce Application Control only on a limited set of devices to make sure that the policy rules work as you expect.
You can configure the policy as
Strict Enforcement
. Users cannot override detections.
Or you can configure the policy as
Enforce with Overrides
to let users override detections of applications that do not appear on either the allowed list or the blocked list. User overrides contribute to application drift.
For any application that a user overrides, any associated files or applications are not added to the local allow list.
Step 7: Analyze the drift between your policy rules and the applications that run in your environment.
User overrides and trusted updater updates add items to the local allowed list on your devices. Over time the applications that run on your devices do not match the applications that you list in your Application Control policy. The difference is called drift. Periodically you should check and update your policies to resolve these differences.
When you apply a new version or a new Application Control policy to your devices, you should check the user overrides and consider adding the applications to the policy.
You can run reports to help you analyze the drift.
You might want to weigh how many user overrides are performed for certain applications to determine if you want to allow those applications. See: