Application Control modes

Application Control operates in one of these supported modes.

Observe

Indicates that the application is in effect but does not prevent any execution or changes made on the endpoints. Using Observe mode is a practice run for Application Control to gather information without taking action. Observe mode is available only on the Windows platform.

Note: Memory-protection techniques are not enabled in Observe mode.

Observe mode helps you discover relevant policies for your enterprise. The product identifies policy candidates by monitoring execution activities and comparing them with the local inventory and predefined rules. When running in Observe mode, Application Control emulates Enabled mode but only logs observations.

Observe mode also supports reputation-based execution. When you execute a file at an endpoint, the software fetches its reputation and reputation of all certificates associated with the file to determine whether to allow or ban the file execution.

  • Trusted files — If the reputation for an executable file or its associated certificate is trusted, the file is allowed to run, unless blocked by a predefined ban rule. No corresponding observation or event is generated.
  • Malicious files — If the reputation for an executable file or its associated certificate is malicious, the file is not allowed to execute and no corresponding observation is generated. A corresponding event is generated and displayed on the Solidcore Events page. The settings configured for your enterprise determine the reputation value that is banned. You can choose to ban only Known Malicious, Most Likely Malicious, Might be Malicious files, or all such files.
  • Unknown — If the reputation for an executable file or its associated certificate is unknown, reputation is not used to determine execution. Application Control performs multiple other checks to determine whether to allow or block the file. For more information, see Checks that Application Control runs for a file.
Note: Regardless of the file's reputation, if a ban by name, SHA-1, or SHA-256 rule exists for an executable file, its execution is banned. No corresponding observation is generated. A corresponding event is generated and displayed on the Solidcore Events page.
All files that are allowed to execute in Observe mode are automatically added to the whitelist, if not already present in the whitelist. An observation is logged that corresponds to the action Application Control takes in Enabled mode. For example, if not authorized, the execution of Adobe Reader is prevented in Enabled mode. In Observe mode, the file is allowed to execute unless banned by a specific rule or has malicious reputation.

Place Application Control in Observe mode to:

  • Check the compatibility of Application Control with existing software during initial deployment.
  • Test an application before enterprise-wide deployment to endpoints already running Application Control.
  • Create trusted updater policies for the applications in your enterprise.

For more information about Observe mode, see Deploying Application Control in Observe mode.

Enabled

Indicates that protection is effective. Enabled mode is the recommended mode of operation.

Enabled mode supports reputation-based execution. When you execute a file at an endpoint, the software fetches its reputation and reputation of all certificates associated with the file to determine whether to allow or ban the file execution.

  • Trusted files — If the reputation for an executable file or its associated certificate is trusted, the file is allowed to run, unless blocked by a predefined ban rule. No corresponding event or observation is generated.
  • Malicious files — If the reputation for an executable file or its associated certificate is malicious, the file is not allowed to execute and no corresponding observation is generated. A corresponding event is generated and displayed on the Solidcore Events page. The settings configured for your enterprise determine the reputation value that is banned. You can choose to ban only Known Malicious, Most Likely Malicious, Might be Malicious files, or all such files.
  • Unknown — If the reputation for an executable file or its associated certificate is unknown, reputation is not used to determine execution. Application Control performs multiple other checks to determine whether to allow or block the file. For more information, see Checks that Application Control runs for a file.
Note: Regardless of the file's reputation, if a ban by name, SHA-1, or SHA-256 rule exists for an executable file, its execution is banned. No corresponding observation is generated. A corresponding event is generated and displayed on the Solidcore Events page.

In Enabled mode, Application Control:

  • Allows only trusted (based on reputation) or authorized (based on rules) applications and installers to run on servers and endpoints
  • Protects against memory-based attacks and application tampering
Update

Indicates that the application is effective, allows ad-hoc changes to the system, and tracks changes made to the endpoints. Update mode refers to an interval during which changes are allowed on a protected endpoint. If a ban by name, SHA-1, or SHA-256 rule exists for an executable file, its execution is not allowed.

Update mode supports reputation-based execution. When you execute a file at an endpoint, the software fetches its reputation and reputation of all certificates associated with the file to determine whether to allow or ban the file execution.

  • Trusted and Unknown files — If the reputation for an executable file or its associated certificate is trusted or unknown, the file is allowed to run, unless blocked by a predefined ban rule. No corresponding event or observation is generated.
  • Malicious files — If the reputation for an executable file or its associated certificate is malicious, the file is not allowed to execute and no corresponding observation is generated. A corresponding event is generated and displayed on the Solidcore Events page.
Note: Regardless of the file's reputation, if a ban by name, SHA-1, or SHA-256 rule exists for an executable file, its execution is banned. No corresponding observation is generated. A corresponding event is generated and displayed on the Solidcore Events page.

Recommended for — Use Update mode only for Installing minor software updates. For example, define a time window to allow the IT team to complete maintenance tasks, such as install patches or upgrade software. Only use Update mode to perform scheduled or emergency changes that cannot be made when Application Control is running in Enabled mode. Whenever possible use other preferred methods, such as users, directories, certificates, updater processes, or installers to allow changes.

In Enabled mode, if you install any new software or add new executable files, the files are not added to the whitelist or allowed to execute (unless performed by trusted change method). However, if you install or uninstall software or add new files in Update mode, all changes are tracked and added to the whitelist.

To authorize or approve changes to endpoints, a change window is defined during which users and programs can make changes to the endpoint. In effect, Update mode allows you to schedule software and patch installations, remove or modify software, and dynamically update the local whitelist. The application generates the FILE_SOLIDIFIED event for files added during Update mode and FILE_UNSOLIDIFIED event for files deleted during Update mode. Also, when an endpoint is in Update mode, all changes to existing files in the inventory generate corresponding update mode events, such as FILE_MODIFIED_UPDATE and FILE_RENAMED_UPDATE.

Note: Memory-protection techniques are enabled in Update mode. This makes sure that running programs cannot be exploited.

Disabled

Indicates that the application is not effective. Although the application is installed, the associated features are not active.

Switching between modes

  • From Observe mode, you can switch to Enabled or Disabled mode.
  • From Enabled mode, you can switch to Disabled, Update, or Observe mode.
  • From Update mode, you can switch to Enabled or Disabled mode.
  • From the Disabled mode, you can switch to the Enabled, Update, or Observe mode.