Raynor

Suggestion: Turn the Behavior Blocker into a real centrally-manageable Application Black- & Whitelisting tool

Recommended Posts

Dear Emsisoft Team,

right now, using the behaviour blocker, you could locally add an application rule that blocks a certain exe file.
However, the current implementation lacks flexibility:

1) The application blocking rules CAN NOT be set using the Enterprise Console or the Cloud Console. There is no option for that.
     Rules can only be set using the local client UI (Protection--> Behaviour Blocker --> Add Application Rule),
     which is not suitable for enterprise usage.

2) Wildcards CAN NOT be used, e.g. blocking file extensions such as "*.hta" or "*.scr" is not possible

3) Hash rules and blocking program execution in entire directories (path rules) is not possible either

 

Please let me kindly suggest that you improve the behaviour blocker and turn it into a real application control solution that can
be centrally managed using EEC or the Cloud Console.

Similar to what e.g. F-Secure and Kaspersky already offer:

--> https://community.f-secure.com/t5/Protection/Application-Control-2-0/td-p/105812

--> "In Kaspersky Endpoint Security for Business, administrators can configure startup blocking policies for applications, executable modules (PE-files, exe, scr, dll) and scripts executed via a variety of interpreters (com, bat, cmd,  ps1, vbs, js, msi, msp, mst, ocx, appx, reg, jar, mmc, hta, sys). For this, the administrator inventories applications on user computers and receives their list with metadata (vendor, certificate, name, version, installation path etc.) If new applications appear on hosts later, these are also inventoried."

 

My reasoning behind this request:

Right now, we are using Software Restriction Policies (SRP) to control the startup of some unwanted applications and file types (e.g. mshta.exe, *.hta, etc.).
However, SRP has been deprecated by Microsoft starting with Windows 10 v1803. It still works, but who knows when MS will finally remove it.
So SRP obviously is not a future-proof solution.

Its successor, AppLocker, can only be used with Windows 10 Enterprise and Education, and is more complicated to set up and administer.
So it is not an option for small companies which use Windows 10 Professional.

 

Certainly this is not an ultra-urgent feature request (as SRP is still working), but it would be much appreciated if you
could put this on your middle- to tong-term roadmap.
After all, I believe that much of the technology required is very likely already contained in the current behaviour blocker,
it just is not exposed via any UI that allows for flexible configuration.

Thanks and best regards,
Raynor

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.