Issue: With Application Control in whitelist and blocking mode, all uncertified applications could not be blocked

Version 19

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6

    Problem Description

    Even Application control and Whitelist are in blocking mode, all the uncertified applications can run properly, and are not blocked as expected.


    In Explorer.exe, the right "Bypass all protection" was enabled.  This right gives permissions applications and these permissions are inherited to child processes.

    The following screenshots shows where the "Bypass all protections" right can be enabled.




    1,Verify the rights to explorer.exe in trusted file list. Giving below rights to explorer.exe is strongly incompatible with the whitelist feature.
    This right will inherit to current running explorer.exe process, leading all uncertified processes to be allowed.
    Only disable below rights from explorer.exe is not enough,as explorer.exe was parented by winlogon.exe, and winlogon.exe will starts userinit.exe which starts the shell to trigger explorer.exe.



    2, Giving above rights to the userinit.exe and winlogon.exe were also incompatible with the whitelist feature.So you need disable the rights in trusted file list from core server side, and then run security scan to update the new trusted file list.


    3, Rebooting the clients is necessary to make the setting take effect.


    Applies to

    LANDesk Management Suite 9.5 SP1