Jump to content
technikarc

Criteria to whitelist all Microsoft executables in ASC

Recommended Posts

Situation:

At the beginning we scanned all Workstations in the network to generate list of executables in Application categories section. It's mostly based on SHA-256 hashes. Then we cleared this list and left only executables we wanted. Now we are using ASC (Application Startup Control) in whitelist mode without Golden Image and Trusted Updaters categories to gain absolute control on allowed executables.

Problem:

  • Our Workstations runs on very different kind of Windows versions
  • We do not use Windows Updates
  • New Workstations typically has different version of Windows than the others

So our whitelist is massive. It's hard to administer it.

Workaround:

  • We can't create category based on executables from selected devices (can't use PC as an image for whitelist because of many different OS versions)
  • We can't use Windows install images because we simply do not have them

Question:

Is there any Application category's condition criteria to whitelist all Microsoft-kind executables like using Certificate details or Metadata etc. to run OS freely?

Share this post


Link to post
2 hours ago, technikarc said:

Situation:

At the beginning we scanned all Workstations in the network to generate list of executables in Application categories section. It's mostly based on SHA-256 hashes. Then we cleared this list and left only executables we wanted. Now we are using ASC (Application Startup Control) in whitelist mode without Golden Image and Trusted Updaters categories to gain absolute control on allowed executables.

Problem:

  • Our Workstations runs on very different kind of Windows versions
  • We do not use Windows Updates
  • New Workstations typically has different version of Windows than the others

So our whitelist is massive. It's hard to administer it.

Workaround:

  • We can't create category based on executables from selected devices (can't use PC as an image for whitelist because of many different OS versions)
  • We can't use Windows install images because we simply do not have them

Question:

Is there any Application category's condition criteria to whitelist all Microsoft-kind executables like using Certificate details or Metadata etc. to run OS freely?

Hello,

White List, if you want to block the startup of all applications except the applications specified in allow rules.

When this mode is selected, two Application Startup Control rules are created by default: Golden Image and Trusted Updaters. You cannot delete these rules. The settings of these rules cannot be edited. You can enable or disable these rules by selecting or clearing the check box opposite the relevant rule. By default, the Golden Image rule is enabled, and the Trusted Updaters rule is disabled. All users are allowed to start applications that match the trigger conditions of these rules.

https://help.kaspersky.com/KESWin/10SP2/en-US/128036.htm

It means that item "Golden Image" was created to answer your question.

There is no another supported solution for your technical task.

Thank you.

 

Share this post


Link to post

Well your solution is partial. "Golden Image" allows to run not only Microsoft-kind executables, but any other executables which Kaspersky decided to whitelist. As I wrote above, I'd like to leave control of non-Microsoft executables to myself and don't want my Workstations running any unnecessary software.

Workaround №2:

All our Workstations runs under non-admin users. Administrative account is used only by us if necessary. This means users can't modify C:\Windows\*\; C:\Program Files\*\ or C:\Program Files (x86)\*\ folders where are almost all Microsoft-kind executables including the ones which are preinstalled by us. Following this topic I've created new category under KSC --> Administration Server --> Advanced --> Application management --> Application categories and in it's Conditions section added these paths through Add --> Application folder using wildcards as described here. At this point users may only launch executables and can't update them without my permission (except those which are updated through system services or schedulers) and can't copy any executable to these paths because they are non-admin users.

Testing now, looks like it did the trick form my problem covering the topic. I wrote the post after reading that post, but didn't realize at the time I can use it for this situation.

Sorry and thank you for your reply.

Edited by technikarc
Just detailed Workaround section

Share this post


Link to post
17 hours ago, technikarc said:

This means users can't modify C:\Windows\*\; C:\Program Files\*\ or C:\Program Files (x86)\*\ folders where are almost all Microsoft-kind executables including the ones which are preinstalled by us.

Correction:

the path's must be in C:\Windows\*; C:\Program Files\* or C:\Program Files (x86)\* formats. Otherwise they do not work for subfolders.

This kind of network protection solution (when ASC is running in whitelist mode) can be effective on recently discussed ransomware because user can't run any other executable or script. Correct me if I'm wrong.

Share this post


Link to post
9 hours ago, technikarc said:

Correction:

the path's must be in C:\Windows\*; C:\Program Files\* or C:\Program Files (x86)\* formats. Otherwise they do not work for subfolders.

This kind of network protection solution (when ASC is running in whitelist mode) can be effective on recently discussed ransomware because user can't run any other executable or script. Correct me if I'm wrong.

Just wanted to say thank you for pointing out the * in the path for excluding subfolders.  Even KL didn't know this when I created a ticket regarding subfolders exclusions not working.

Share this post


Link to post
11 hours ago, technikarc said:

Correction:

the path's must be in C:\Windows\*; C:\Program Files\* or C:\Program Files (x86)\* formats. Otherwise they do not work for subfolders.

This kind of network protection solution (when ASC is running in whitelist mode) can be effective on recently discussed ransomware because user can't run any other executable or script. Correct me if I'm wrong.

Please evaluate support help by using "Rating" option!

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.