F-Secure’s Application Control – part 1

Application Control is a premium feature that is integrated into the corporate range of F-Secure’s endpoint protection solutions, and unlike other EPP products, the integration into the endpoint client allows it to provide granular, rule-based control over all of the applications installed.

Emails containing malicious attachments are one of the most common methods used to breach organisations’ security systems and hackers typically implement recognised file formats which, when opened by an unassuming user, then launch their attack as a script or code.

The file formats used generally include docx, xlsx, pptx which are opened with MS Office and pdfs opened with Adobe Reader. And as these particular applications are used by the majority of users, it is pretty much impossible to block their use within an organisation. With F-Secure’s Application Control, restrictions can be implemented for the applications concerned, preventing accidental infections.

The following is an example of how this is done using F-Secure’s PSB Premium offering, however this function is also available in F-Secure’s Business Suite Premium (version 14 products and later):

 

Setting up Application Control:

1. Log into the F-Secure PSB Cloud Portal (an existing subscription and portal account is needed).

2. Navigate to Profiles and select the intended profile to edit or clone/create a new profile.

3. On the profile editor screen, select Application Control.

4. Firstly, enable the Application Control, then change the Global Rule to Allow and Monitor All Applications. This allows the endpoint client to report used applications to the PSB portal.

5. The Exclusions list is where rules will be added and defined. It already contains some of F-Secure’s predefined protection rules. Add a new rule by clicking Add Exclusion.

6. Name the rule and add a description. Then change the Event to Application Start and Action to Block.

7. Conditions need to be added to the rule. This rule will have two conditions.
1. Application path (MS Office in this case)
2. Application action (script attempts to run the powershell script)

8. Add the second condition by clicking Add Condition. Once added, select intended options from the drop-down list and complete the conditions as shown below.

9. When all rules and conditions are defined, Save and Publish the profile. This profile can now be assigned to intended devices.

 

Breaking down the above rule:

Any application run from the folder %ProgramFiles%\Microsoft Office\ will be blocked from launching scripts and commands that utilize powershell.exe. (the line %programfiles% = c:\program files\)
This rule will protect users against scripted attacks hidden in MS Office documents.

There are many more conditions that can be used in various combinations in order to protect against hidden malware, scripts and other application-based attacks. The rules are also easy to define and add an extra layer of protection which could block a potential data breach. Application Control provides protection based on action rather than detection and combined with F-Secure’s AV engines it provides a multi-layered approach to cyber security.