Configuring Application Permissions in the Application Control Policy

Applications that were uploaded with the Appscan XML file are allowed by default. You cannot change the default action for the uploaded applications.

Depending on whether the application is secure or not, you can set the Action (network access) to Allow, Block or Terminate:

• For each application in the Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. policy.

• For specific applications that match the wildcard character supported string in its name, publisher, version and so on.

Supported Actions

The supported actions for the applications are:

Action	Description
Allow	Allows network access to the application.
Block	Blocks network access to the application.
Terminate	Terminates the application if it tries to access the network or immediately when it runs.

To configure terminate settings:

1. In the Policy view, go to Access and Compliance > Application Control > Application Management.

2. Select one of these options:

   • Terminate on execution - Selected by default. Makes sure that all terminated applications terminate immediately when they run.

   • Terminate on connection - Terminate an application when the application tries to access the network

App Rules

To review the policy for each application and its versions:

1. In the Policy view, go to Access and Compliance > Application Control > Application Management > Edit Application Control Policy.

2. Click App Rules.

   The Action column shows the permission for each application. Left-click the Action column to select the action.

   The Version column shows the details for each version of the application, including a unique hash value that identifies the signer of the application version. You can block or allow specific versions of the same program. Each version has a unique Version number, Hash, and Created On date.

Custom Rules

Note - Custom Rules is supported only for Windows.

To review the policy for specific applications:

1. In the Policy view, go to Access and Compliance > Application Control > Application Management > Edit Application Control Policy.

2. Click Custom Rules.

3. Click New.

4. Enter a Rule Name.

5. Enter at least one of these details:

   Notes: Use the wildcard character (*) to match a specific string. Enter *abc* to apply the rule for all applications that contain the string abc in its details. For example, *abc* matches abc, xyzabc, abcxyz, xyzabcxyz. Enter *abc to apply the rule for all applications ending with the string abc in its details. For example, *abc matches abc, xyzabc. Enter abc* to apply the rule for all applications starting with the string abc in its details. For example, abc* matches abc, abcxyz. Enter abc to apply the rule for all applications that contain only the string abc in its details. For example, abc matches abc.

   • Application Name

     For example, the application name of Chrome is Google Chrome.

     To find the application name of Chrome, on a Windows PC, navigate to C:\Program Files\Google\Chrome\Application, right-click chrome and click Properties. Click the Details tab and see Product name.

   • Publisher

     For example, the publisher of Chrome is Google LLC.

     To find the publisher of Chrome, on a Windows PC, navigate to C:\Program Files\Google\Chrome\Application and see the name listed under the Company column for chrome.

   • Version

     For example, the version of Chrome is 107.0.5304.107.

     To find the version of Chrome, on a Windows PC, navigate to C:\Program Files\Google\Chrome\Application, right-click chrome and click Properties. Click the Details tab and see File version.

   • File Name

     For example, the file name of Chrome is chrome.exe.

     To find the file name of Chrome, on a Windows PC, navigate to C:\Program Files\Google\Chrome\Application.

     Note - Do not enter the path or directory to the file.

   • Issued By

     For example, the issuer of Chrome is DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CAI.

     To find the certificate issuer for Chrome, on a Windows PC:

     1. Navigate to C:\Program Files\Google\Chrome\Application.

     2. Right-click chrome and click Properties.

     3. Click the Digital Signatures tab.

     4. In the General tab, click View Certificate and see Issued by.

     Note: If the file has several signatures, the Endpoint Security client checks all the signatures and applies the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. only if anyone of the signatures match the specified signature. Only certificates with printable ASCII characters are supported.

   • Issued To

     For example, the issued to for Chrome is Google LLC.

     To find the certificate issued to for Chrome, on a Windows PC:

     1. Navigate to C:\Program Files\Google\Chrome\Application.

     2. Right-click chrome and click Properties.

     3. Click the Digital Signatures tab.

     4. Click Details.

     5. In the General tab, click View Certificate and see Issued to.

     Notes: If the file has several signatures, the Harmony Endpoint Security client checks all the signatures and applies the rule only if at least one of the signatures match the specified signature. Only certificates with printable ASCII characters are supported.

   • Command Line

     For example, the command line of Chrome is C:\Program Files\Google\ChromeApplication\chrome.exe.

     To find the command line for Chrome, on a Windows PC, open Task Manager. Click the Details tab and see the Command line column for the chrome.exe. If the Command line column is not visible in the table, right-click the header row, click Select columns and select Command line checkbox.

6. To review the policy for an application with specific Hash:

   • In the Hash field, enter the MD5 hash key of the application.

   • Click Calculate and select the binary file of the application. The system automatically retrieves the hash and enters it in the Hash field.

7. Click OK.

8. Left-click the Action column to select the action.

Application Control in Backward Compatibility Mode

Default Action for Unidentified Applications

Changing the default action for unidentified applications is only supported in backward compatibility mode.

To enable backward compatibility mode:

1. Go to Endpoint Settings > Policy Operation Mode.

2. Go to the required policy and select Mixed mode.

To change the default action for uploaded applications:

1. In the Policy view, go to Access and Compliance > Application Control > Application Management > Default action.

2. Select the required default action.

Configuring the Application Control Policy

In addition to Allow, Block and Terminate, there are two more actions that you can configure in backward compatibility mode:

Unidentified (Allow) - The application is allowed because the default setting for applications that are imported from the Appscan XML is 
Allow, and the administrator did not change this action.

Unidentified (Block) - The application is blocked because the default setting for applications that are imported from the Appscan XML is Block, and the administrator did not change this action.