Prohibiting *.* (all files) may result in increased CPU utilization in Application Manager

Version 1

    Verified Product Versions

    Application Control 8.9Application Control 8.8Application Control 8.7Application Control 8.6Application Control 8.5Application Control 8.4Application Control 8.3Application Control 8.2Application Control 8.1Application Control 8.0


    In a very high security environment some customers require a purely whitelisted approach to Application Manager.

    In other words, they want to deny access to *.* (files) and then specify individual files which will be allowed to run.

    In this situation opening an application may increase CPU utilization to 100% for up to a minute.


    Application Manager itself is not exempt from its own rules, as hard-coded exemptions could potentially open the software up to security risks. Furthermore, file rules take precedence over folder rules.

    By default, Application Manager program file locations are listed as accessible items for Everyone at the folder level. Blocking *.* at the file level will take precedence over this.

    When an application is launched and blocked, the launch is redirected to an executable called AmMessage.exe. In this scenario, AmMessage itself will be blocked, which will lead to AmMessage being launched again, which will again be blocked, etc. etc. This activity causes the spike in CPU utilization.

    There are a number of ways to workaround this behaviour, depending on the specific environmental requirements:

    1. Instead of prohibiting *.* files, uncheck 'make local drives accessible by default' in General Features | Options.
    2. Instead of prohibiting *.* at the file level, prohibit (for example) c:\ at the folder level and include subfolders. This will not take precedence over the allowed folder rules and will therefore not block AmMessage.exe.
    3. Add AmMessage.exe to the whitelist of specifically allowed applications.