Prohibiting *.* (all files) may result in increased CPU utilization in Application Manager

Version 1

    Verified Product Versions

    AppSense Application Manager 8.9AppSense Application Manager 8.8AppSense Application Manager 8.7AppSense Application Manager 8.6AppSense Application Manager 8.5AppSense Application Manager 8.4AppSense Application Manager 8.3AppSense Application Manager 8.2AppSense Application Manager 8.1AppSense Application Manager 8.0

    Introduction

    In a very high security environment some customers require a purely whitelisted approach to Application Manager.

    In other words, they want to deny access to *.* (files) and then specify individual files which will be allowed to run.

    In this situation opening an application may increase CPU utilization to 100% for up to a minute.

    Detail

    Application Manager itself is not exempt from its own rules, as hard-coded exemptions could potentially open the software up to security risks. Furthermore, file rules take precedence over folder rules.

    By default, Application Manager program file locations are listed as accessible items for Everyone at the folder level. Blocking *.* at the file level will take precedence over this.

    When an application is launched and blocked, the launch is redirected to an executable called AmMessage.exe. In this scenario, AmMessage itself will be blocked, which will lead to AmMessage being launched again, which will again be blocked, etc. etc. This activity causes the spike in CPU utilization.

    There are a number of ways to workaround this behaviour, depending on the specific environmental requirements:

    1. Instead of prohibiting *.* files, uncheck 'make local drives accessible by default' in General Features | Options.
    2. Instead of prohibiting *.* at the file level, prohibit (for example) c:\ at the folder level and include subfolders. This will not take precedence over the allowed folder rules and will therefore not block AmMessage.exe.
    3. Add AmMessage.exe to the whitelist of specifically allowed applications.