Creating the List of Applications on the Reference Computer

You need to generate a list of the application on your reference computer. This is a Windows computer with a tightly-controlled disk image that contains the typical applications used on protected endpoint computers in your organization. If you have several different standard images, set up a reference computer for each.

Important - The reference computer must be free of malware.

To generate the list of applications, run, the Appscan command on the reference computer. This generates an XML file that contains the details of all the applications and operating system files on the computer. In the XML file, each application, and each application version, is uniquely identified by a checksum. A checksum is a unique identifier for programs that cannot be forged. This prevents malicious programs from masquerading as other, innocuous programs.

To run Appscan from the command line:

  1. Download the appscan tool from sk108536, to the root directory (typically c:\) of the baseline reference source computer.

  2. From the command prompt of the target computer, go to the root directory or to a specific directory to scan (for example, \program files).

  3. Run appscan with the applicable parameters.

When the scan is complete, an output file is created in the specified directory. The default file name is scanfile.xml

Appscan Command Syntax

Description

Scans the host computer and creates an XML file that contains a list of executable programs and their checksums. This XML file is used by the Check Point Reputation Service to create recommended rules to block or allow common applications. The administrator imports the XML file to theEndpoint Security Management ServerClosed A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. using SmartEndpointClosed A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies..

Syntax

Appscan [/o <filename> /s <target directory> /x <extension strung /e /a /p /verbose /warnings /?

Parameters

Parameter

Description

/o

Sends output to the specified file name. If no file name is specified, Appscan uses the default file name (scanfile.xml) in the current folder.

file name

Output file name and path.

/s <target directory>

Specifies the directory, including all subdirectories, to scan.

  • You must enclose the directory/path string in double quotes.

  • If no directory is specified, the scan runs in the current directory only.

/x <extension string>

Specifies the file extension(s) to include in the scan.

  • The extension string can include many extensions, each separated by a semi-colon.

  • You must put a period before each file extension.

  • You must enclose full extension string in double quotes.

  • You must specify a target directory using the /s switch.

  • If you do not use the /x parameter only .exe executable files are included in the scan

/e

Include all executable files in the specified directory regardless of the extension. Do not use /e together with /x.

/a

Includes additional file properties for each executable.

/p

Shows progress messages during the scan.

/verbose

Shows progress and error messages during the scan.

/warnings

Shows warning messages during the scan.

/?

or

/help

Shows the command syntax and help text.

Examples

  • appscan /o scan1.xml

    This scan, by default, includes .exe files in the current directory and is saved as scan1.xml.

  • appscan /o scan2.xml /x ".exe;.dll" /s "C:\"

    This scan includes all .exe and .dll files on drive C and is saved as scan2.xml.

  • appscan /o scan3.xml /x ".dll" /s c:\program files

    This scan included all .dll files in c:\program files and all its subdirectories. It is saved as scan3.xml.

  • appscan /s "C:\program files" /e

    This scan includes all executable files in c:\program files and all its subdirectories. It is saved as the default file name scanfile.xml.