Application Control

In This Section: Working with the Application Control Policy Reputation Service

The Application Control component restricts network access for specified applications. The Endpoint Security administrator defines policies and rules that allow, block or terminate applications and processes. Only applications that try to get network access can be blocked or terminated. If specified in an Application Control rule, an alert shows which application was blocked or terminated.

You can also enable the Reputation Service (previously called the Program Advisor) to recommend applications to allow or block.

Working with the Application Control Policy

Configure which applications are allowed, blocked, or terminated and what happens when applications are not identified.

To configure the allowed applications:

1. In the Policy tab > Application Control rule, right click the Allowed Apps Action and select Manage Allowed Apps List.
2. To add more applications, click Add and select applications from the Search Applications window.
3. Click OK.

To configure the blocked applications:

1. In the Policy tab > Application Control rule, right click the Block Apps Action and select Manage Blocked Apps List.
2. To add more applications, click Add and select applications from the Search Applications window.
3. Click OK.

To configure terminated applications:

1. In the Policy tab > Application Control rule, right click the Terminated Apps Action and select Manage Terminated Apps List.
2. To add more applications, click Add and select applications from the Search Applications window.
3. Click OK.

If you block unidentified applications, users can only access applications that are included in the Allowed Apps List. If you allow unidentified applications, users can access all applications that are not on the blocked or terminated list. If you choose to allow unidentified traffic, make sure your blocked and terminated lists are complete.

To configure what happens to unidentified applications:

In the Policy tab > Application Control rule, select Block Unidentified Applications, or right click and select Allow Unidentified applications.

Terminated applications are not allowed to pass through the firewall.

Reputation Service

The Check Point Reputation Service is an online service that automatically creates recommended rules that block or allow common applications. These rules are based on the recommendations of Check Point security experts. This feature reduces your workload while improving security and usability.

Note - Your Endpoint Security Management Server must have Internet access (on ports 80 and 443) to connect to the Check Point Reputation Service Server. Make sure that your firewall allows this traffic. We recommend that you add the Reputation Service Server to your Trusted Zone.

To see the recommendations of the Reputation Service for safe applications:

1. In the Application Control rule, right click the Allow Whitelisted Apps action and select Manage Allowed Apps List.
2. In the Allow Applications List, select Good Reputation from the options menu.

   A list of applications with a good reputation, generated by the Reputation Service, opens. You can move applications to the Block or Terminate list.

To see the recommendations of the Reputation Service for malicious applications:

1. In the Application Control rule, right click the Terminated Apps action and select Manage Terminated Apps List.
2. In the Terminate Application List, select Known Malware Apps from the options menu.

   A list of malicious applications, generated by the Reputation Service, opens. You can move applications to the Block or Allow list.

Using the Reputation Service with a Proxy

If your environment includes a proxy server for Internet access, do the configuration steps below to let the Endpoint Security Management Server connect to the Check Point Reputation Service Server through the proxy server. Note that all configuration entries are case-sensitive.

If your organization uses a proxy server for HTTP and HTTPS traffic, you must configure the Endpoint Security Management Server to work with the proxy server.

To configure use of a proxy server:

1. From the Endpoint Security Management Server command line, run: cpstop.
2. Go to $UEPMDIR/engine/conf and open the local.properties file in a text editor.
3. Add a line for these properties:
   • The proxy server IP address:

     http.proxy.host=<IP address>

   • The proxy server listening port (typically 8080):

     http.proxy.port=<port>

   • If authentication is enabled on the proxy server, add these lines:

     Do not add these lines if authentication is not required.

     http.proxy.user=<username>

     http.proxy.password=<password>

   Make sure that you delete (or do not insert) the '#' character at the beginning of these lines. If you do not do this, all applications are blocked when trying to access the Internet.

4. Save $UEPMDIR/engine/conf/local.properties and then close the text editor.
5. Run: cpstart.

Importing Program References

The Appscan command lets you automatically create Application Control rules for common applications and operating system files on endpoint computers network. This is especially useful when you have a clean standard image.

You can import a list of programs identified by their checksums, instead of by filename. Checksums are unique identifiers for programs that cannot be forged. This prevents malicious programs from masquerading as other, innocuous programs.

Create an Appscan for each disk image used in your environment. You can then create rules that will apply to those applications. You create Appscan files by running the appscan.exe utility on a computer with a tightly-controlled disk image, then importing the file into Endpoint Security.

Creating an Appscan XML File

Before you can use Appscan, set up a Windows computer with the typical applications used on protected computers in your organization. If you have several different configurations, perform these steps for each.

Important - The computer you scan to create an Appscan must be free of all malware. If you are certain that your scan is clean, you can create rules that allow the applications access to the network.

To run Appscan from the command line:

1. Download the appscan tool from sk108536, to the root directory (typically c:\) of the baseline reference source computer.
2. From the target computer command prompt, go to the root directory or to a specific directory to scan (for example, \program files).
3. Run appscan with the applicable parameters.

When the scan is complete, an output file (Default = scanfile.xml) is created in the specified directory.

Appscan Command Syntax

Description

Scans the host computer and creates an XML file that contains a list of executable programs and their checksums. This XML file is used by the Check Point Reputation Service to create recommended rules to block or allow common applications.

Syntax

Appscan [/o <filename> /s <target directory> /x <extension strung /e /a /p
/verbose /warnings /?]

Parameters

Parameter	Description
file name	Output file name and path.
/o	Sends output to the specified file name. If no file name is specified, Appscan uses the default file name (scanfile.xml) in the current folder.
/s <target directory>	Specifies the directory, including all subdirectories, to scan. You must enclose the directory/path string in double quotes. If no directory is specified, the scan runs in the current directory only.
/x <extension string>	Specifies the file extension(s) to include in the scan. The extension string can include many extensions, each separated by a semi-colon. You must put a period before each file extension. You must enclose full extension string in double quotes. You must specify a target directory using the /s switch. If you do not use the /x parameter only .exe executable files are included in the scan
/e	Include all executable files in the specified directory regardless of the extension. Do not use /e together with /x.
/a	Includes additional file properties for each executable.
/p	Shows progress messages during the scan.
/verbose	Shows progress and error messages during the scan.
/warnings	Shows warning messages during the scan.
/? or /help	Shows the command syntax and help text.

Examples

• appscan /o scan1.xml

  This scan, by default, includes .exe files in the current directory and is saved as scan1.xml.

• appscan /o scan2.xml /x ".exe;.dll" /s "C:\"

  This scan includes all .exe and .dll files on drive C and is saved as scan2.xml.

• appscan /o scan3.xml /x ".dll" /s c:\program files

  This scan included all .dll files in c:\program files and all its subdirectories. It is saved as scan3.xml.

• appscan /s "C:\program files" /e

  This scan includes all executable files in c:\program files and all its subdirectories. It is saved as the default file name scanfile.xml.

Importing Appscan XML Files

After you generate the Appscan XML file, you import it to the Endpoint Security Management Server.

Note - You must remove all special characters, such as trademarks or copyright symbols, from the XML file before importing it.

To import an Appscan XML file:

1. In the Policy tab > Application Control rule, right click the Allowed apps list Action.
2. Select Import Programs.
3. In the Import Programs window, go to and select the applicable Appscan XML file.
4. Click Import.

   When applications included in the imported file are found on endpoint computers, they are automatically added to the Allowed or Block applications group.