5 Replies Latest reply on Dec 12, 2017 10:38 PM by game123

    New to appsense - many questions.


      I am very new to appsense so I have a few questions:


      1) What is a process rule? I understand signature and file rules.


      2) We need to unblock an ERP app, I assume that I need to create a process rule for this. I know the main executable file name, however there are hundreds or DLL files associated. Also there may be different folders, i.e., \\coname\aspire\mfgys\XXXX\ or \\coname.xyz.com\aspire\mfgsys\XXXX. Also there many be different vendors, i.e., Company Name, Inc. or Company Name Manufacturing, Inc.


      Your assistance is appreciated.



        • 1. Re: New to appsense - many questions.
          Landon Winburn ITSMMVPGroup

          Process rules. I like to call them sub-process rules. Basically when you create one you specify a process. You can then allow or deny other processes that the parent process may call using file rules. Keep in mind the parent process the rule is based on first needs to be allowed. For a simple base configuration they are rarely used.


          Stick with group rules and allowed files. Make sure the file rules contain metadata from the metadata tab. In your case for the file rule select allow untrusted owner and child processes and this should allow everything the parent process calls without the need for a process rule.


          Last thing, look up amaudit here on the forum. It makes adding rules easy.



          1 of 1 people found this helpful
          • 2. Re: New to appsense - many questions.

            Is group rule the same as a process rule? I have 3 choices for rules: File, Folder, and Signature.


            Also what would you suggest for an application that is web based? Actually the applications launches through I.E., however there are a slew of DLL files that are required from the server and I am sure there is a database someplace.


            I do use AmAudit and start from there.


            For the first application, created a process rule with just the main executable...i.e., application.exe

            Under this there are allowed files, we placed DLL with full path here, i.e., \\\servername\mfgys\app1\app.dll



            • 3. Re: New to appsense - many questions.
              timothyb SupportEmployee

              On a network share all processes will be blocked by default, regardless of their trusted owner state.  Files are allowed to run on local drives because of the setting "Manage Tab -> Advanced Settings -> Make local drives allowed by default". 


              Assuming that you've got control over the permissions on the network share and users cannot add their own processes.  The easiest initial rule would be a folder rule to allow files to run in the folder \\servername\mfgys\app1.  If the files are not owned by a Trusted Owner, then you will need to ticket the box to allow to run even if the Trusted Ownership test fails.  Trusted Ownership on network shares and removable media can't really be trusted, so rules should be built with this in mind.


              If you need finer rules, then you can specify filenames that are allowed to run within the File rule.  However you will also need to specify any file that is also opened with execute rights e.g. DLLs.


              If a file rule isn't secure enough, you can then add signature rules, only allowing files to run or be opened with execute rights if they meet a signature.  To manage signature I would suggest using the "Library\Group Management" feature.  Just dumping signatures into a User or Group rule is hard to manage.

              1 of 1 people found this helpful
              • 4. Re: New to appsense - many questions.
                Fordo Apprentice

                Avoid signature rules unless you're dealing with removable media.


                Make life easy by using a folder rule (with 'allow to run even if not owned by a trusted owner') for the network-hosted application if you're confident users (and malware running as the user) can't write to that location.


                Avoid creating hundreds of file rules for one app, as the config will be come difficult to maintain, could eventually have a tangible impact upon performance, and will probably trip you up if and when the application changes the way it behaves i.e. introduces new files, changes the names of files, adds/removes/changes metadata or cert etc.

                1 of 1 people found this helpful
                • 5. Re: New to appsense - many questions.

                  Nice question.


                  Process Rule....ahm ahm...


                  You use process rule only and only if you see a process is launching some more sub-processes within itself. Good examples are CHROME browser. 


                  You will notice that if you launch notepad.exe it will show up in the process but you do not expect it to have any child processes , but if you launch chrome.exe there will be some child process that are connected to it. 


                  You can use sysinternal process-explorer or process-hacker2 utility to validate such things. They are valuable arsenal in the hands of appsense-jujitsu master


                  hope this helps.


                  kamran shakil (kam)