How to use File Reputation to Restrict Applications

Version 19

    Verified Product Versions

    LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    Introduction

    The File Reputation feature in Ivanti Patch and Compliance helps ensure that the files on a managed device's system aren't malicious and that they haven't been tampered with.

     

    This feature can run in conjunction with Application Control Behavior Protection, which on its own can help secure managed devices. However, false positives can still occur on legitimate applications depending on behavior being exhibited.

     

    Using File Reputation allows the creation of separate Application Control Behavior Profiles for files with a known "good" reputation that bypasses the normal Application Control.

     

    About File Reputation

    File Reputation is not enabled by default. Enabling it will cause Anonymous file reputation information from Managed Devices to be sent Securely to the Ivanti File Reputation Cloud Server. This process improves the Reputation Accuracy for all users of this feature.

     

    When an application is run, the agent checks its Local Database to see if the Application Files match known Good Hashes. If a match isn't found, the agent sends a request with data about the files to the Core Server. The Core Server checks its local database to see if information about the file exists. If not, the Core Server sends a request to the Ivanti Cloud Reputation Server to see if there is a match. The following illustrates this process:

    Flow Chart.png

    The Ivanti Cloud Reputation Server includes a database of File Information including Names, Sizes, Metadata, and SHA1 hashes. Much of the File Reputation Database is from the National Software Reference Library (See link for more details).

     

    Any Application/File can have one of these three Reputations:

     

    • Good: The file matches an entry in the NSRL database or Ivanti has gathered enough information to believe that the file is safe.
    • Bad: The file doesn't match any NSRL database entries or Ivanti has gathered enough information to believe that the file isn't safe.
    • Undecided: There aren't any matches on this file or there aren't enough matches to help decide whether the file is good or bad.

     

    To determine these Reputations, the file reputation algorithm considers how often matching files occur, how old the matches are, who signed the files, and how often those occurrences are whitelisted or blocked in Management Suite.

     

    Downloading File Reputation Ivanti Updates

    In the Ivanti Management Console, select Tools > Security and Compliance > Patch and Compliance.

     

    Select the Download Updates ToolBar Button in the Patch and Compliance tool.

     

    In the Definition Types window, select Windows > Security > Ivanti File Reputation Updates. Read and Accept the Terms.

     

    Click Download Now.

    Download Reputation Updates.png

     

    Configuring File Reputation

    The following steps need to be completed in order to use File Reputation on Managed Devices:

     

    1. Download the File Reputation Ivanti Updates using Patch Manager.
    2. Create an Application Control Agent Setting that uses File Reputation (OR) Include the Reputation Definitions as part of the Application file List.
    3. Deploy the settings to Managed Devices

     

    Using File Reputation with Application Control

    In the Ivanti Management Console, select Tools > Security and Compliance > Agent Settings

     

    In the Agent Settings Tree, under My Agent Settings > Security > Endpoint Security, right click Application Control and click New, or double-click an existing setting.

     

    Under the General Settings tab, select Treat "good reputation" files as if they are in the associated trusted files list.

     

    Select the "Good Reputation" application behavior button and configure the Application Control and Ivanti Firewall behaviors for files with Good Reputation.

    Application Control General Settings.png

    Click OK and then Save.

     

    Using File Reputation with an Application File List

    In the Ivanti Management Console, select Tools > Security and Compliance > Agent Settings.

     

    In the Agent Settings Tree, under My Agent Settings > Security > Endpoint Security, right click Application File Lists and click New, or double-click an existing setting.

     

    At the top of the Application File List window, enable Automatically include "good reputation" files when sending list to clients and/or Automatically include "bad reputation" files when sending list to clients.

     

    If Good Reputation files are enabled, click the Allowed Application Behavior... button and configure the Application Control and Ivanti Firewall behaviors for files with Good Reputation.

    Application File Lists.png

    Click Ok

     

    Adding Files to and Application File List

    In the Ivanti Management Console, select Tools > Security and Compliance > Agent Settings.

     

    Select the Configure Settings cog in the Toolbar and select File Reputations.

     

    On the File Reputations Toolbar, select the "Add File Reputation" button and select the desired file to add.

    File Reputations.png

    Click OK.

     

    Deploying File Reputation Agent Settings to Managed Devices

    In the Ivanti Management Console, select Tools > Security and Compliance > Agent Settings.

     

    In the Agent Settings Toolbar, click the Create a Task button and select Change Settings.

     

    Next to Endpoint Security in the settings list, select the Endpoint Security setting that includes the desired Application Control setting configured earlier.

    Change Settings.png

    Click Save and use the scheduled task created to deploy the settings to managed devices.

    Note: As these settings get updated, Managed Devices will automatically gather and apply the new File Reputation Settings. Re-Deploying is not necessary.

     

    Overriding Existing File Reputations

    In the Ivanti Management Console, select Tools > Security and Compliance > Agent Settings.

     

    Select the Configure Settings cog in the Toolbar and select File Reputations. The check boxes at the top of the window can be used to filter the results. Click Apply Filter after selecting to sort the files.

     

    Select the desired files to be overridden and select the Override Reputation button. Check the Override LANDESK Reputation Settings box and select the Desired Reputation for the File.

    Override Reputation.png

    Click Ok and then Close the File Reputations Window.

     

    Importing Application Files

    In the Ivanti Management Console, select Tools > Security and Compliance > Agent Settings.

     

    In the Agent Settings Tree, under My Agent Settings > Security > Endpoint Security, right click Application File Lists and click New, or double-click an existing setting.

     

    In the Application File List Toolbar, click the Import Application Files button. Select one of the 3 available options:

    Importing Settings.png

    Import from other Application File Lists

    Select the desired Files to be imported, utilizing the checkbox filters as needed. Click Next.

     

    Configured the Application Behavior as desired and Select Ok.

    Import from other Application File Lists.png

    Click Ok again to close and save the changes made to the Application File List.

    Note: The files to imported will need to be highlighted in order to be brought over to the new Reputation Settings.

    Import from a .CSV file

    Browse for the .csv file containing the application file list information and click Open.

     

    Configure the Application Behavior as Desired and Select OK.

    Note: The .csv file format is as follows: "File name" "File size", "Version", "Manufacturer name", "Product name", "MD5 hash base64 string", "SHA1 string", "SHA256 string", "Permissions"

    Import from Trusted Devices

    Select the desired devices and Click Import Files from Specified Devices.

     

    Select whether an Exhaustive Scan is needed before import. This is recommended, as the File List for this particular device may not be up to date.

     

    Configure the Application Behavior as Desired and Select OK.

    Import from Other Device.png

    Merging Application File Lists

    In the Ivanti Management Console, select Tools > Security and Compliance > Agent Settings.

     

    In the Agent Settings Tree, under My Agent Settings > Security > Endpoint Security, right click Application File Lists and select Merge Application Files.

     

    Select the Source List in the drop-down menu. Select either to Merge Difference in Application Files or Replace Applications Files based on preferences.

     

    Select the Target Lists for the Merge and click Ok.

    Merge Application Files.png