As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Technical Articles ID:
KB79576
Last Modified: 2024-01-17 11:18:09 Etc/GMT
Environment
Application and Change Control (ACC) 6.x
Summary
This article is a consolidated list of common questions and answers for ACC 6.x. It's intended for users who're new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
January 17. 2024
Removed EOL versions
October 21, 2022
Minor formatting changes; no content changes.
Contents
Click to expand the section you want to view:
How can I verify the version of Application Control or Change Control through the registry?
The Application Control or Change Control version is contained in the following registry key entry:
What's new in Application Control 6.2.0 Policy Discovery?
Site administrators can view and take an action only for the Policy Discovery requests coming from their hosts. They can't take an action from hosts that the logged-on user doesn't have access to.
Observations are now generated for network path-based file operations. Administrators can discover trusted directory policies for these observations. The observations received from network shares are listed on the Policy Discovery page with the activity Network Path Execution.
New features for Policy Discovery to facilitate better management of the Policy Discovery requests are as follows:
The Policy Discovery page now has more filters on activity, trust level, and system name.
Administrators can now set custom policy rules other than rules suggested by the Policy Discovery, Actions, Create Custom Policy option. For this purpose, all policy tabs are now visible. A new action Clear and define rules has been added. These action request details are now available on the Create Custom Policy page.
On the Policy Discovery details page, a binary checksum is shown in the Binary Properties section.
The columns User Name, Host Name, and Binary Path have been added to the Policy Discovery details page. Also, Quick find on Host Name has been added.
Administrators can create custom policy rules from threat events directly. For this purpose, a Create Custom Policy action is shown corresponding to events. These events include write denied, execution denied, package change prevented, and memory protection events. From this action, administrators can review the event details and create policy rules accordingly.
For more information, see the Application Control 6.2.0 Product Guide.
What's new in the 6.1.2 Observation mode?
The observation mode features improvements for scalability from this release.
The Policy Discovery page can be used for creating policies for both Observations and Self-Approval events.
Key changes in the Observation mode menu option include the following:
The Self-Approval and Observation mode user interface (UI) have been merged to create a single Policy Discovery page.
Observation and Self-Approval for the same application has one policy candidate entry. You can drill down on a specific row to check for Self-Approval requests or Observation details.
What has changed in the 6.1.2 Observation mode?
The Observation mode feature has been substantially improved for scalability in this release. Administrators will notice a reduction of observations and improved quality.
Changes affecting the workflows around this feature:
The Observation mode menu item is now Deprecated.
Rule discovery analysis is now done at endpoints to make sure that only the needed events are delivered to ePolicy Orchestrator.
The Process Tree isn't available in the Policy Discovery UI. Process tree (Process Created) creation events were among the primary contributors to observations in previous versions of Application Control.
Identical events (for the same binary and activity) from multiple hosts are consolidated into a single row in Policy Discovery. Consolidating the events allows for efficient processing of requests and reducing overhead. This consolidation impacts the Policy creation mechanism from the Events page that was available in previous releases.
The focus is now changed to discover Policy candidates that are the change agentfor allow-list content. Doing so makes sure that the right processes are granted the Updater permission. Instead of seeing observations forEXECUTION_DENIEDevents for new files, equivalent events are seen for file additions to the allow list.
Observations aren't generated for network path-based file operations.
Temporaryexecution allow rules are created on first invocation of new content. These rules prevent generation of new observations on repeat executions.
A caching mechanism has been implemented for the Enable mode so that repeated observation requests aren't generated for the same binary.
The Global Self-Approval Rules rule group has been renamed to Global Rules.
Multiple rule groups related to the old Observation implementation have been deprecated and the suffix Deprecated has been addedto the rule group names. For example, Global Observation Rules (Deprecated).
Does Application Control or Change Control 6.x support a Windows 2008 R2 cluster environment?
Yes. Application Control and Change Control 6.x support Windows 2008 R2 in a clustered environment.
Does Application Control support SafeNet ProtectFile: File Encryption and Protection?
No. There's a known incompatibility between Application Control and SafeNet ProtectFile: File Encryption and Protection software.
Why can't I install the Solidcore Agent on Windows XP?
The most common reason for this issue is the default local policy permissions. Perform the following steps and configure the needed permissions:
Log on to the Windows XP computer.
Click Start, Run, type gpedit.msc, and click OK.
Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
Double-click Network Access: Sharing and security model for local accounts.
In the Local Security Setting tab, selectClassic - local machine try \host-name\admin$.
NOTE: You're prompted to provide credentials. After providing the credentials, Admin$ opens.
Attempt to install the Solidcore Agent.
Can the same installer be used for Change Control, Integrity Monitor, and Application Control?
The license key determines which features are enabled. All features can be used at the same time.
How do I know whether the Solidcore Agent is installed and enabled on a client?
To confirm that the Solidcore Agent has been successfully deployed:
View the Agent Log file from the ePO console.
Log on to the ePO console.
Click Menu, Systems, System Tree and click a client from the displayed list.
Click Actions, Agent, Show Agent Log.
Once the agent deployment is complete, click Wake Up Agents and use the following procedure to view the Solidcore Agent system properties:
Log on to the ePO console.
Click Menu, Systems, System Tree and then select a client.
Click your host. You see the System Details page.
Scroll down to Solidcore to see the product version and installation path.
Click More to view the status of the Agent, whether enabled or disabled. You can also view the licenses of several features installed on the computer.
Can Application Control or Change Control be deployed on a virtual machine?
Yes. The Solidcore Agent runs successfully on a virtual machine that has an operating system supported by the Solidcore Agent.
What happens during upgrades from releases earlier than Application Control 6.1.2?
The Observation mode menu item is still available, but highlighted as Deprecated.
Self-Approval requests raised in earlier versions are populated in the Policy DiscoveryUI.
What happens during fresh installations of the Application Control 6.1.2 extension?
Only the Policy Discovery page is displayed.
All Self-Approval requests and Observations raised in Observation or Enable mode are displayed on this page.
Only endpoints with 6.1.2 and later can report observations in this UI.
All endpoints with 6.1.0 and later builds can report Self-Approval requests in this UI.
What is FailSafeConf (under the 'sadmin config show' key), and how do I configure it? FailSafeConf is used to determine how Application Control behaves if the event inventory becomes corrupted.
FailSafeConf value can be set to 0 or 1: Value =0 (default): The system restarts with Application Control in disabled mode.
Value =1: The system goes into a continuous restart loop.
Which events can disable Application Control or Change Control 6.x?
The following events change the state to Disabled:
INVENTORY_CORRUPT (Application Control)
TRIAL_EXPIRED (Application Control and Change Control)
Can I force the output of Application Control or Change Control 6.x to be displayed in English without changing the operating system locale?
No. You can't configure the language for Application Control or Change Control 6.x. It's based on the language set in the operating system. The output is generated in English if Solidcore detects an unsupported locale.
In future releases, what happens to the rules added to the deprecated rule groups?
When these rule groups are removed, all relevant policy rules in the deprecated rule groups are preserved and migrated to other rule groups.
Why is the "Show Suggestions" link missing from the Events page for new observations?
Before the 6.1.2 release:
Observations and events had a one-to-one mapping.
The Events page included the Show Suggestions link for observations generated in Enable mode that allowed the user to discover policy rules.
As of the 6.1.2 release and later:
The Policy Discovery page serves as a centralized console for discovering policy rules, regardless of the mode in which the endpoint is running.
The Policy Discovery page consolidates identical events (for the same binary and activity) from multiple hosts. These events are consolidated into a single record. This consolidation allows for efficient processing of requests and reduces overhead.
Thus, the unified policy discovery mechanism cuts down the need for the Show Suggestions link. It has been removed as a part of the redesign for this feature.
What events are generated with 6.1.2 in Observe mode and Enable mode?
See the table below for events generated in workflow in Observe mode and Enable mode.
Type of Event
Mode
Operations
Deny Exec (Non-Network path)
Enable
Generate observation for "Auth by checksum"
Observe
Solidify the binary /script
Allow operation
No observation
Deny Write
Enable
Generate observation "Updater by name"
Observe
Generate observation
Allow operation
Deny Exec (network path)
Enable
No observation
Observe
No observation
Package Control Denial
Enable
Generate observation for "Updater by checksum"
Observe
Generate observation
Allow operation
ActiveX Denial
Enable
Generate observation for certificate
Observe
Generate observation
Allow operation
Memory Protection NX/Process hijack
Enable
Generate observation for attr bypass
Observe
Generate observation
Allow operation
Executable extracting MSI files
Enable
Generate observation for "Updater by checksum"
Observe
Generate observation
Allow operation
Executable extracting binary files (exe, dll, driver) and script files
Enable
Generate observation for "Updater by Name"
Observe
Generate observation
Allow operation
What events are generated with 6.2.0 (Linux) in Observe mode and Enable mode?
See the table below for events generated in workflow in Observe mode.
NOTE: Linux doesn't generally support package control, ActiveX, MP, MSI detection, and any form of installer by itself. Also, there are no observations created in Enabled mode on Linux.
Type of Event
Mode
Operations
Deny Exec
Enable
Out of scope for the first iteration: Generate Rule for "Attribute authorize by name"
Observe
Allow operation
Generate rule for "Attribute authorize by name"
Out of scope for first iteration: Generate observation "Updater by name"
Deny Write
Enable
Out of scope for first iteration: Generate observation "Updater by name"
Observe
Allow operation
Generate observation for "Updater by name"
Out of scope for the first iteration: "Mark current process an updater as a temporary rule"