With Application Grouping in Endpoint Central, administrators can create logical groups or categories to organize applications based on different criteria such as department, role, function, or any other relevant classification. This grouping allows for better visibility and control over the applications being used within the organization. There are two main types of listing namely Allowlist and Blocklist.
The first step in any application control process is discovering which applications are installed in the network. Endpoint Central's agents scan every endpoint and provide a list of the applications installed in them, along with details of all their executables. Refer below to create application groups.
Application allowlisting is designed to enhance endpoint security by allowing only pre-approved applications to run on endpoints, while blocking all other software. With application allowlisting, organizations can enforce strict control over the applications executed on their endpoints, reducing the risk of malware infections and unauthorized software installations. By creating a list of trusted applications and permitting only those to run, Endpoint Central ensures that endpoints remain secure and protected from potential threats.
Application blocklisting helps organizations prevent the execution of unauthorized or potentially malicious applications on their endpoints. With Endpoint Central, administrators can create a blocklist of specific applications that they want to restrict from running on protected systems. By maintaining this blocklist, administrators can proactively safeguard their endpoints from known security risks, such as malware or unauthorized software.
The applications can be added to specific groups using the different filters while creating an application group. All the discovered applications will be checked to see if they comply with the rules set and will be added to the application group based on this. The different rules that can be set are based on the vendors, product names, executables with valid certificates and the hash value of the EXE(s). Click on the drop-down button near 'All' if you wish to specify any other rule. The other filter rules are as follows:
Trusted Vendors are those software companies that have digitally signed their software with a code signing certificate to verify its authenticity and integrity. Trusting software vendors without valid certificates can cause backdoor attacks. Publisher verification gives app users and organization admins information about the authenticity of the developer's organization. The trusted vendors will be listed and once added to an application group, the applications of the selected vendors will be allowlisted/blocklisted.
This filter can be used to add specific applications from different vendors. The discovered applications will be listed according to the product name.
Applications are composed of several executable files. To ensure authenticity, each executable is digitally signed by the vendor. Application Control shows you these verified files, allowing you to select which ones can be run (allowlisted) or blocked. This is crucial for network security, as any executable with a tampered digital signature will be prevented from executing.
This filter relies on the unique hash value of each executable file. This means that all running processes, even those without valid digital certificates, will be shown to you for review.
The applications under a folder can be allowlisted/blocklisted by specifying the folder path. You can put all the applications that you trust into a folder to group those apps in one go.
Along with facilitating the grouping of legacy applications, Application Control also provides support for Windows 10 and 11 Store Apps. This rule discovers all the StoreApps that run in the managed endpoints and lets you instantly group the applications of your choice.
This feature lets you define custom criteria such as the vendor, product name, verified executable, or file hash to create application rules that are not detected in your network.
The applications can be added to specific groups using the different filters while creating an application group. All the discovered applications will be checked to see if they comply with the rules set and will be added to the application group based on this. The different rules that can be set are based on the vendors, application names, executables with valid certificates and the hash value of the EXE(s). Click on the drop-down button near 'All' if you wish to specify any other rule. The other filter rules are as follows:
Publisher verification gives app users and organization admins information about the authenticity of the developer's organization. When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic. The vendors will be listed and once added to an application group, the applications of the selected vendors will be allowlisted/blocklisted.
This filter can be used to add specific applications from different vendors. The discovered applications will be listed according to the product name.
The executable files in mac are called binaries and this filter can be used to add the binary files of the applications.
This filter relies on the unique hash value of each executable file. This means that all running processes, even those without valid digital certificates, will be shown to you for review.
The applications under a folder can be allowlisted/blocklisted by specifying the folder path. You can put all the applications that you trust into a folder to group those apps in one go.
This feature lets you define custom criteria such as the vendor, product name, verified executable, or file hash to create application rules that are not detected in your network.
The summary of the application groups created can be viewed by selecting the specific application group. The rule details and the associated custom groups will be listed in the application group summary.
Child processes are processes initiated by running applications. While they can be vulnerable, this setting enables trusted applications to create child processes securely. By allowing only authorized applications to spawn child processes, you can significantly reduce the risk of security breaches. The child processes of the applications would run even if they are blocked.
To configure child process, follow the steps given below:
You have successfully enabled a child process.
If you have any further questions, please refer to our Frequently Asked Questions section for more information.
