DefendpointManagementConsoleAdministration Guide · 2019-02-14 · TableofContents Chapter1-DefendpointIntroduction 7 1.1-Windows 7 1.1.1-DefiningUserRoles 7 1.1.2-ImplementingLeastPrivilege

Defendpoint Management Console AdministrationGuide

Software Version: 5.2.21.0 GA

Document Version: 1.1

Document Date: September 2018

Defendpoint Management Console 5.2.21.0 GADocument v.1.1

Copyright NoticeThe information contained in this document (“the Material”) is believed to be accurate at the time of printing, but norepresentation or warranty is given (express or implied) as to its accuracy, completeness or correctness. AvectoLtd, its associated companies and the publisher accept no liability whatsoever for any direct, indirect orconsequential loss or damage arising in any way from any use of or reliance placed on this Material for anypurpose.

Copyright in the whole and every part of this document belongs to Avecto Ltd (“the Owner”) and may not be used,sold, transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to anyperson other than in accordance with the terms of the Owner’s Agreement or otherwise without the prior writtenconsent of the Owner.

Accessibility NoticeIn the event that you are unable to read any of the pages or documents on this website, please contact us and wewill arrange to get an accessible version to you.


Table of ContentsChapter 1 - Defendpoint Introduction 71.1 -Windows 71.1.1 - Defining User Roles 71.1.2 - Implementing Least Privilege 7

1.2 - Mac 81.2.1 - Achieve least privilege onMac 81.2.2 - Empower users and gain control 81.2.3 - Unlock privileged activity 81.2.4 - Take a pragmatic approach with broad rules 91.2.5 - Achieve compliance 91.2.6 - Apply corporate branding 91.2.7 - Customizable messaging 91.2.8 - Simple, familiar policy design 9

Chapter 2 - Installing, Uninstalling and Upgrading Defendpoint 102.1 - Installing the Defendpoint Policy Editor 102.2 - Installing the Defendpoint forWindows Client 112.2.1 - Client Packages 112.2.2 - Unattended Client Deployment 11

2.3 - Installing the Defendpoint for Mac Client 122.3.1 - Uninstalling Defendpoint for Mac 12

2.4 - Upgrading Defendpoint 122.4.1 - Recommended Steps 13

2.5 - Defendpoint Reporting Console 142.5.1 - Auditing Report 142.5.2 - PrivilegeMonitoring Report 152.5.3 - Diagnosing Connection Problems 16

Chapter 3 - Launching the Defendpoint Policy Editor 173.1 - Navigating the Policy Editor 173.1.1 - Automatic Saving 18

Chapter 4 - Policies and Templates 194.1 - Users 194.2 - Policies 194.3 - Editing Group Policy 194.4 - Defendpoint Settings 204.4.1 - Create 204.4.2 - Delete 204.4.3 - Export 214.4.4 - Import 214.4.5 - Import Template 214.4.6 - Digitally Sign 214.4.7 - Save Report 214.4.8 - Set Challenge / Response Shared Key 214.4.9 - Show HiddenGroups 214.4.10 - View 224.4.11 - Licensing 224.4.12 - HTMLReport 22

4.5 - Defendpoint Activity Viewer 224.6 - Response CodeGenerator 234.7 - Templates 23


4.7.1 - QuickStart 234.7.2 - Discovery 274.7.3 - Server Roles 284.7.4 - Trusted App Protection (TAP) 28

Chapter 5 - Defendpoint Policies for Windows 335.1 - Policy Administration 335.1.1 - Advanced Agent Settings 335.1.2 - Advanced Policy Editor Settings 34

5.2 -Workstyles 345.2.1 -Workstyle Properties 355.2.2 - CreatingWorkstyles 365.2.3 -Workstyle Summary 385.2.4 - Overview 385.2.5 - Application Rules 395.2.6 - On-Demand Application Rules 405.2.7 - Content Rules 435.2.8 - Trusted Application DLL Protection 445.2.9 - General Rules 465.2.10 - Filters 48

5.3 - Application Groups 515.3.1 - Creating Application Groups 525.3.2 - Viewing or Editing the Properties of an Application Group 525.3.3 - Deleting an Application Group 525.3.4 - Duplicating an Application Group 525.3.5 - Rule Precedence 535.3.6 - Application Definitions 535.3.7 - Inserting ActiveX Controls 585.3.8 - Inserting Batch Files 595.3.9 - Inserting COMClasses 595.3.10 - Inserting Control Panel Applets 605.3.11 - Inserting Executables 615.3.12 - Inserting Installer Packages 615.3.13 - InsertingManagement Console Snap-ins 635.3.14 - Inserting PowerShell Scripts 635.3.15 - Inserting Registry Settings 645.3.16 - Inserting Remote PowerShell Commands 655.3.17 - Inserting Remote PowerShell Scripts 665.3.18 - Inserting Uninstaller (msi or exe) 675.3.19 - InsertingWindows Services 685.3.20 - InsertingWindows Store Applications 685.3.21 - InsertingWindow Scripts 695.3.22 - Inserting Applications from Templates 705.3.23 - Inserting Applications from Running Processes 705.3.24 - Inserting Applications from Events 70

5.4 - Content Groups 715.4.1 - Creating Content Groups 725.4.2 - Duplicating Content Groups 725.4.3 - Target Content Definitions 725.4.4 - Inserting Content 73

5.5 - Messages 735.5.1 - Types of Messages 745.5.2 - CreatingMessages 745.5.3 - Setting ActiveX Message Text 76


5.5.4 - Message Name and Description 765.5.5 - Message Design 765.5.6 - Message Text 84

5.6 - Custom Tokens 865.6.1 - Creating Custom Tokens 875.6.2 - Editing Custom Tokens 87

Chapter 6 - Defendpoint Policies for OS X 916.1 -Workstyles 916.1.1 -WorkstyleWizard 916.1.2 - CreatingWorkstyles 926.1.3 -Workstyle Summary 946.1.4 - Overview 946.1.5 - Application Rules 946.1.6 - Filters 95

6.2 - Application Groups 966.2.1 - Creating Application Groups 966.2.2 - Viewing or Editing the Properties of an Application Group 976.2.3 - Deleting an Application Group 976.2.4 - Duplicating an Application Group 976.2.5 - Rule Precedence 976.2.6 - Application Definitions 986.2.7 - Management of Disk Mounted Images 1046.2.8 - Inserting a Binary 1066.2.9 - Inserting a Bundle 1076.2.10 - Inserting a Package 1076.2.11 - Inserting a Sudo Command 1086.2.12 - Inserting a System Preference Pane 1096.2.13 - Inserting Applications from Templates 110

6.3 - Messages 1106.3.1 - CreatingMessages 1106.3.2 - Message Name and Description 1116.3.3 - Message Design 1116.3.4 - Message Text 115

Chapter 7 - Deploying Defendpoint Policy 1197.1 - Group Policy Management 1197.1.1 - Creating Defendpoint Settings 1197.1.2 - Defendpoint Settings Scope 1217.1.3 - GPOPrecedence and Inheritance Rules 1217.1.4 - Order of Processing 1217.1.5 - Exceptions to Default Order of Processing 1227.1.6 - Defendpoint Settings Storage and Backup 1227.1.7 - Disconnected Users 122

7.2 - StandaloneManagement 1237.3 - PowerShell Management 1237.3.1 -Windows PowerShell Execution Policy 1247.3.2 - Executing PowerShell Configurations 124

7.4 -Webserver Management 1247.4.1 - DeployingWorkstyles viaWeb Services 1247.4.2 -Webserver Enabled Client Installation 1257.4.3 - EnablingWebserver Policy Download via the Registry 126

7.5 - Configuration Precedence 1267.6 - Deployment Methods 1277.7 - Mac Deployment 127


7.7.1 - Adding Defendpoint Settings to aMac Client computer 127

Chapter 8 - Auditing and Reporting 1298.1 - Events 1298.1.1 -Windows Process Events 1298.1.2 - Mac Process Events 1318.1.3 - Auditing with Custom Scripts 131

Appendix A - Appendices 133A.1 - Troubleshooting 133A.1.1 - Resultant Set of Policy 133A.1.2 - Check Defendpoint is installed and functioning 134A.1.3 - Check Settings are Deployed 134A.1.4 - Check that Defendpoint is Licensed 134A.1.5 - Check Workstyle Precedence 134

A.2 - Avecto End User Utilities 136A.2.1 - Adding these Applications to your Policy 136

A.3 - Mac Specific 137A.3.1 - Mac Policy Structure and Precedence 137A.3.2 - Multiple Mac Policies 138A.3.3 - Mac Application Templates 138A.3.4 - Mac Audit Logging 138A.3.5 - Mac Logging Options 140A.3.6 - Adding Defendpoint Settings to aMac Client Computer 142A.3.7 - Mac Command Arguments Not Supported 143

A.4 -Windows Specific 143A.4.1 -Windows Policy Configuration Precedence 143A.4.2 -Windows Privileges 144A.4.3 -Windows Application Templates 146A.4.4 - Configuring Remote Computer Browser 146A.4.5 - Environment Variables 148A.4.6 - Regular Expressions Syntax 148A.4.7 -Windows Workstyle Parameters 150A.4.8 - Example PowerShell Configurations 153A.4.9 - Manual Deployment of the Defendpoint Client 157A.4.10 - Trusted Application Protection Blacklist 157A.4.11 - Built-in Groups 158A.4.12 - Automating the Update of Multiple GPOs 158A.4.13 - Signing Defendpoint Settings 159

A.5 - Databases 166A.5.1 - Database Sizing and Resource Consumption 166


Chapter 1 - Defendpoint IntroductionDefendpoint combines privilegemanagement and application control technology in a single lightweight agent. Thisscalable solution allows global organizations to eliminate admin rights across the entire business.

Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards andtrend data for auditing and compliance.

1.1 - Windows1.1.1 - Defining User RolesBefore deploying Defendpoint, you should spend some time preparing suitable workstyles for your users.Implementing least privilegemay require workstyles to be tailored to users’ roles.

The table below shows three typical user roles, but we recommend that you create roles that are tailored to yourenvironment.

Role Requirement for Admin Rights

Standard CorporateUser

Applications that require admin rights to function, and simple admin tasks.

Laptop User Flexibility to perform ad-hoc admin tasks and install software when away from thecorporate network.

Technical User Complex applications and diagnostic tools, advanced admin tasks and softwareinstallations.

Defendpoint can cater for all types of users, including themost demanding technical users such as systemadministrators and developers.

You should also educate users on what they should expect from a least privilege experience, before transferringthem to standard user accounts. This ensures that they will report any problems they encounter during the processof moving to least privilege.

Contact your solution provider or Avecto to gain access to templates to cater for more complex use casescenarios.

1.1.2 - Implementing Least PrivilegeThe first step is to identify the applications that require admin privileges for each of the roles you’ve defined. Thesecan fall into one of three categories:

1. Known Admin Applications – You already have a definitive list of applications that require admin rights torun.

2. Unknown Admin Applications – You are not sure of the applications that require admin rights to run.3. Flexible Elevation – The user will require flexibility and can’t be restricted to a list of applications.

Defendpoint Management Console 5.2.21.0 GADocument v.1.1 7 of 168

Known ApplicationsFor this category you should add the relevant applications to the Defendpointapplication groups1 for the users,which will automatically elevate these applications when they are launched. You can then remove admin rightsfrom these users.

Unknown ApplicationsFor this category you have two choices to help you discover the applications that require admin rights:

1. Windows specific: Set up Defendpoint workstyles tomonitor privileged application behavior. TheDefendpoint audit logs will highlight all of the applications that require admin rights to run. SeePrivilegeMonitoring detailed on page 35 for more information.

2. Set up Defendpoint workstyles to give the user the “on-demand” elevation facility, and instruct the user touse this facility for any applications that fail to run once you have taken the user’s admin rights away. TheDefendpoint audit logs will highlight all the applications that the user has launched with elevated rights. SeeOn-Demand Application Rules detailed on page 40 andPrivilege Monitoring detailed on page 35 formore information.

You can use the audit logs to determine the relevant set of applications that you want to give admin rights to forthese users. SeeApplication Groups detailed on page 51 for more information.

Flexible ElevationFor this category you should set up Defendpoint workstyles that give the user an “on-demand” elevation facility,which allows the user to elevate any applications from a standard user account. All elevated applications can beaudited, to discourage users frommaking inappropriate use of this facility. SeeOn-Demand Application Rulesdetailed on page 40 for more information.

1.2 - Mac1.2.1 - Achieve least privilege on MacThere aremany functions that require an admin account to run. While most Mac users typically use an adminaccount to gain the flexibility they need, this represents a large security risk in the enterprise. Defendpoint for Macallows users to log on with standard user accounts without compromising productivity or performance, by allowingthe execution of approved tasks, applications and installations as required, according to the rules of your policy.

1.2.2 - Empower users and gain controlAllow and block the use and installation of specific binaries, packages and bundles. By taking a simple andpragmatic approach to whitelisting, you can gain greater control of applications in use across the business. Thisimmediately improves security by preventing untrusted applications from executing.

1.2.3 - Unlock privileged activityEven privileged applications and tasks that usually require admin rights are able to run under a standard useraccount. With Defendpoint for Mac, you can unlock approved system preferences such as date and time, printers,network settings and powermanagement without needing admin credentials.

1Logical groupings of applications.


1.2.4 - Take a pragmatic approach with broad rulesBroad catch-all rules provide a solid foundation, with exception handling options to handle unknown activity. Definethe application and set its identification options such as filename, hash, publisher or URI. Then assign theapplication to the users who require enhanced rights and set up any additional options such as end user messagingand auditing.

1.2.5 - Achieve complianceYouwill have the knowledge to discover, monitor andmanage user activity from the entire enterprise, drawing uponactionable intelligence tomake informed decisions. Graphical dashboards with real-time data will provide a broadrange of reports to aid troubleshooting and provide the information you need to proactively manage your policy onan ongoing basis.

1.2.6 - Apply corporate brandingYou can add your own branding tomessages and prompts, with reusablemessaging templates that make it easy toimprove the end user experience. You have control over text configuration.

1.2.7 - Customizable messagingWorking seamlessly with OS X andmacOS, Defendpoint for Mac can suppress standard, restrictivemessagesand allows you to create your own customized authorization prompts to handle exceptions and enable users torequest access. Set up access request reasons, challenge / response codes or password protection to addadditional security layers, or simply improve prompts to reduce helpdesk enquiries.

1.2.8 - Simple, familiar policy designFirewall-style rules based on application groups make set up andmanagement simple. Using the sameDefendpoint interface and client as forWindows, you can create flexible ‘Workstyles’ based on the requirements ofindividuals and groups of users.


Chapter 2 - Installing, Uninstalling andUpgrading DefendpointThe following topics are discussed in this section, see the Defendpoint ePOExtension Installation Guide for moredetails:

l Installing the Defendpoint Policy Editor detailed belowl Installing the Defendpoint for Windows Client detailed on the next pagel Installing the Defendpoint for Mac Client detailed on page 12l Upgrading Defendpoint detailed on page 12

Can I install the 32-Bit Client on a 64-Bit endpoint?No. The 32-Bit Client can only be installed on 32-Bit endpoints.

Can I install the 32-Bit Management Console on a 64-Bit endpoint?Yes. The 32-Bit Management Console can be installed on 64-Bit endpoints if required. However, you will not begiven the option of installing the Client.

Do I need to install the Defendpoint Client and Management Console together?For standalone installations, youmust install both the Client and Console. Avecto also recommends that the Clientand Console are installed together during evaluation, to simplify the evaluation process.

For larger deployments, there is no requirement to install the Management Console on endpoints.What distributionmechanisms do you support?

The Defendpoint Client can be deployed using any third party software which supports the deployment of MSIand/or Executable files, such as Microsoft Active Directory, Microsoft SMS / SCCM, andMcAfee ePolicyOrchestrator (ePO).

For silent installations and advanced installations (such as CERT_MODE and EPOMODE), the third partydeployment softwaremust also support the use of command line options.

2.1 - Installing the Defendpoint Policy EditorUsing an administrator account, log on to theWindows computer you would like tomanage Defendpoint from.

Ensure that you have the relevant Group Policy management tools installed on the desktop or server whereyou will be installing the Defendpoint Policy Editor.

To install Defendpoint, run the appropriate installation package:l For 32-bit (x86) systems run DefendpointManagementConsoles_x86.exel For 64-bit (x64) systems run DefendpointManagementConsoles_x64.exe

1. The installation will detect if any prerequisites are needed. Click Install to install any missing prerequisites.This may take a few minutes.

2. Once the prerequisites have been installed, theWelcome dialog box appears. Click Next to continue.3. After reading the license agreement, select I accept the terms in the license agreement and click Next.


4. Enter your name and the name of your organization and click Next .5. If you want to change the default installation directory then click theChange button and select a different

installation directory. Click Next.6. If you are only managingWindows machines with Defendpoint and want evaluate Defendpoint with McAfee

ePolicy Orchestrator, select theMcAfee ePolicy Orchestrator Integration check box. Otherwise, leave itclear and click Next.

7. Click Install to start installing the Defendpoint Policy Editor.8. Once installed, click Finish. The Defendpoint Policy Editor has now been successfully installed.

In order to use the Event Import Wizard, you will need to install theMicrosoft SQL Server 2008 R2NativeClient. For installation instructions and to download this component, visit https://www.microsoft.com/engb/download/details.aspx?id=16978

2.2 - Installing the Defendpoint for Windows ClientThe Defendpoint Client requires that Windows short file name creation is enabled.

2.2.1 - Client PackagesTo install the Defendpoint Client, run the appropriate installation package:

l For 32-bit (x86) systems run DefendpointClient_x86.exel For 64-bit (x64) systems run DefendpointClient_x64.exe

The installation will detect if any prerequisites are needed. Click Install to install any missing prerequisites. Thismay take a few minutes.

The Defendpoint Client may be installedmanually, but for larger installations we recommend that you use asuitable third-party software deployment system.

There is no license to add during the client installation, as this is deployed with the Defendpoint workstyles,so the client may be installed silently.

2.2.2 - Unattended Client DeploymentWhen deploying the Defendpoint Client with automated deployment technologies, such as System CenterConfigurationManager (SCCM), you can deploy the client silently and postpone the computer from restarting.

To install the client executable silently, without a reboot, use the following command line (the double quotes arerequired and the syntax must be copied exactly):

DefendpointClient_x86.exe /s /v" /qn /norestart"


https://www.microsoft.com/engb/ download/details.aspx?id=16978

https://www.microsoft.com/engb/ download/details.aspx?id=16978

To install the client MSI package silently, without a reboot, use the following command line (double quotes are notrequired but the syntax must be copied exactly):

Msiexec.exe /i DefendpointClient_x86.msi /qn /norestart

Defendpoint will not be fully operationally until a reboot is performed. To perform an unattended deploymentwith a reboot omit the ‘/norestart’ switch.

2.3 - Installing the Defendpoint for Mac ClientThe Defendpoint for Mac Client enables Defendpoint Settings to be applied toMac computers.

If you are installing the Defendpoint Client on to computers running OS X 10.11 El Capitan, make sure thatsudo 1.8 is installed before installing the Defendpoint Client.

To install the Defendpoint Client, download and run the client installer packageDefendpointMacClient.pkg.

The Defendpoint Client may be installedmanually, but for larger installations we recommend that you use asuitable third party software deployment system.

There is no license to add during the client installation, as this is deployed with the Defendpoint workstyles,so the client may be installed silently.

2.3.1 - Uninstalling Defendpoint for MacUninstalling DefendpointTo uninstall Defendpoint locally on aMac, run the following command:

sudo /usr/local/libexec/avecto/defendpoint/1.0/uninstall.sh

Uninstalling the Defendpoint ePO AdapterTo uninstall the Defendpoint ePOAdapter locally on aMac run the following command:

sudo /usr/local/libexec/avecto/ic3adapter/1.0/uninstall.sh

Removing the Defendpoint PolicyDo not remove the Defendpoint policy unless you have already uninstalled Defendpoint.

To remove the policy once you have uninstalled Defendpoint run the following command:

sudo rm -rf /etc/defendpoint

2.4 - Upgrading DefendpointBefore upgrading any versions of Defendpoint or Privilege Guard software or existing settings, it is recommendedthat you test your deployment in a pre-production environment. This will help mitigate any unforeseen compatibilityissues, and avoid disruption to the business.


In the following sections, all references to Defendpoint, by default also refer to Privilege Guard.

All Defendpoint MSI and EXE installers will automatically remove old versions of Avecto software when installed.Therefore, it is not necessary tomanually remove old versions prior to installation of new versions.

If you previously installed the Defendpoint client with a switch youmust ensure that you upgrade the Defendpointclient with the same switch. If you do not use the same switch the new installation parameters will apply and anyfunctionality relating to previous installation will be lost.

The Defendpoint Client guarantees backwards compatibility with previous versions of Defendpoint, but does notguarantee forwards compatibility. Therefore it is recommended that all Defendpoint Clients are upgraded beforerolling out new versions of Defendpoint.

When upgrading Avecto software, it may be necessary for a reboot to occur in order to complete theinstallation. When installing in silent mode, a reboot will occur automatically. Therefore it is recommendedthat upgrades are performed out of core business hours, or during scheduledmaintenance windows, to avoidloss of productivity.

2.4.1 - Recommended StepsStep 1: Upgrading Defendpoint ClientsTo upgrade the Defendpoint Client manually, double-click the client installationmedia for your operating system.

To upgrade the Defendpoint Client using a deployment mechanism, please see the steps in Installing theDefendpoint for Windows Client detailed on page 11 or Installing the Defendpoint for Mac Client detailed onthe previous page.

For larger deployments, Defendpoint Clients support mixed client environments as they are fully backwardscompatible with older versions of the Defendpoint settings. This allows for phased roll-outs of theDefendpoint Client if this is preferred.

Step 2: Upgrading the Defendpoint Management ConsoleOnce all Defendpoint Clients have been upgraded, the next step is to upgrade the Defendpoint ManagementConsole.

To upgrade the Defendpoint Management Console, please see the steps in Installing the Defendpoint PolicyEditor detailed on page 10.

Step 3: Upgrading Defendpoint SettingsOnce the Defendpoint Management Console has been upgraded, the final step is to roll out new versions of theDefendpoint Settings. Although Defendpoint Clients are fully backwards compatible with older versions ofDefendpoint Settings, this step is required if you wish to take advantage of any new features and enhancements inDefendpoint.

Defendpoint Settings are automatically saved in the latest format each time a change is made. For details ofediting Defendpoint settings, please see to the steps inGroup Policy Management detailed on page 119.


Once Defendpoint Settings have been upgraded, they cannot be downgraded. Therefore, it is recommendedthat upgrading Defendpoint Settings is performed only after all Defendpoint Clients have been upgraded.

2.5 - Defendpoint Reporting ConsoleThe Reporting Console is anMMC snap-in andmay connect to the local computer or a remote computer. TheReporting Console enables you to view Defendpoint events and privilegemonitoring logs for the relevant computer.

To run the Defendpoint Reporting Console:1. Launchmmc.exe.2. Select Add/Remove Snap-in from the Filemenu.3. Select Defendpoint Reporting from the available snap-ins and click Add.

Before the snap-in is added you will be prompted to select a computer to manage. The local computer will beselected by default. To connect to a remote computer select theAnother computer option button and enterthe name of the remote computer or click theBrowse button to browse for a computer. Defendpointsupports connection to a central event collector if you are using event forwarding to centralize events to aserver.

Youmay also select an alternative location for the privilegemonitoring logs, if you have a scripted solution inplace to centralize the privilegemonitoring logs to a server. Enter the network location or click theBrowsebutton to browse to the location.

4. Click Finish.5. Click OK.

You can addmultiple instances of the Defendpoint Reporting snap-in and connect them to differentcomputers.

2.5.1 - Auditing ReportThe Auditing Report lists all the Defendpoint events that have been logged at that computer.

For each event the following information is available:l Datel Event IDl Filename (Codebase for ActiveX controls)l Command Linel Event Descriptionl Usernamel Computer Namel Policyl Application Groupl Reasonl Custom Tokenl Hash (CLSID for ActiveX controls)l Certificatel PID


l Parent PIDl Trusted Application Namel Trusted Application Version

By default, the report will show all Defendpoint events from the event log, but you can filter the report on date, eventnumber, username and computer name. Click Update Report to reload the report.

The application definitions that are contained within each event may be copied and then pasted into applicationgroups in the Defendpoint Policy Editor. Select one or more events and then select Copy from the context menu.You can now paste the applications into an application group.

2.5.2 - Privilege Monitoring ReportApplication View

The application view shows a list of all applications that have beenmonitored. Applications are identified by theirfile hash.

For each application the following information is available:l Filename/Codebasel Typel Instancesl Descriptionl Certificatel Hash (CLSID for ActiveX controls)l Version (ActiveX controls only)

The instances column shows the number of times the application has been run. To view the individual instances foran application, double-click the entry in the list or select Show Details from the context menu. TheProcess Viewappears.

By default, the report will show all themonitored applications, but youmay filter the report on date, username andcomputer name. Click Update Report to reload the report.

Process View

The process view shows a list of the individual processes that have beenmonitored for an application.

For each process the following information is available:l Datel PIDl Command Linel Filename

To view the activity for a process, double-click the entry in the list or select Show Details from the context menu.TheActivity View appears.


Activity View

The activity view shows a list of all the privileged activity that has been carried out by a process. Privileged activityis any activity that would have failed under a standard user account.

For each activity entry the following information is available:

l Datel Operationl Objectl Parameters

To go back to the process view double-click the “back up” entry in the list or select Back Up from the contextmenu. TheProcess View appears.

2.5.3 - Diagnosing Connection ProblemsThe Defendpoint Reporting Console needs to connect to the registry and administrator file shares when connectingto a remote computer.

If the Reporting Console fails to connect or fails to retrieve data then the most common causes are:1. TheRemote Registry service needs to be started on the remotemachine. OnWindows 7 this service is not

set to start automatically, so you should ensure that it has been started.2. TheWindows Firewall may be blocking the incoming requests. Enabling the File and Printer Sharing

exception in theWindows Firewall Settings should resolve this problem.


Chapter 3 - Launching the DefendpointPolicy EditorThe Defendpoint Policy Editor is accessed as a snap-in to theMicrosoft Management Console.

From your administrator account launch theMicrosoft Management Console (MMC.exe). Type 'MMC' into theSearch Box from theStart Menu and press theEnter key.

Wewill now add Defendpoint as a snap-in to the console.

1. Select File from themenu bar and select Add/Remove Snap-in.2. Scroll down the list and select theDefendpoint Settings snap-in. Click Add and then click OK.3. Optionally select File > Save as and save a shortcut for the snap-in to the desktop as Defendpoint.4. Select theDefendpoint Settings node in the left-hand pane and select the operating system node to

display themain screen in the details pane.

3.1 - Navigating the Policy EditorThe left-hand pane containing the Defendpoint Settings is referred to as the Tree pane.

The folders beneath Defendpoint Settings in the tree pane are referred to as Nodes.

Themiddle pane, which displays content relevant to the selected node, is referred to as theDetails pane.

If you expand Defendpoint Settings node you will see three nodes:1. Windows – Create Defendpoint configuration forWindows endpoints.2. OS X – Create Defendpoint configuration for Mac (OS X or macOS) endpoints.3. Licensing –Manage Defendpoint licenses.


If you expand the Windows node you will see five nodes:1. Workstyles – Assign privileges to applications.2. Application Groups – Define logical groupings of applications.3. Content Groups – Define specific file content.4. Messages – Define end user messages.5. Custom Tokens – Define custom access tokens.

If you expand the OS X node you will see three nodes:1. Workstyles – Assign privileges to applications.2. Application Groups – Define logical groupings of applications.3. Messages – Define end user messages.

Once a workstyle has been created and selected in the tree pane, the workstyle tabs will be displayed in the detailspane.

3.1.1 - Automatic SavingBy default the Defendpoint Settings editor will automatically save any changes back to the appropriate GPO (orlocal XML file if you are using the standalone console).

Automatic saving can be disabled, by deselecting theAuto Commit Settingsmenu option on theDefendpointSettings node, but this is not recommended unless you are having performance issues. If you deselect theAutoCommit Settings option then youmust select theCommit Settingsmenu option tomanually save any changesback to the GPO. TheAuto Commit Settings option is persisted to your user profile, so it will be set for all futureediting of Defendpoint Settings.


Chapter 4 - Policies and TemplatesA Defendpoint policy is made up of one or more items from the following groups. Each of these groupscan be a node in the Defendpoint Settings:

l Workstylesl A workstyle is part of a policy. It's used to assign application rules for users. You can createworkstyles using theWorkStyleWizard or import them.

l Application Groupsl Application Groups are used by Workstyles to group applications together to apply certainDefendpoint behavior.

l Content Groupsl Content groups are used by Workstyles to group content together to apply certain Defendpointbehavior.

l Messagesl Messages are used by Workstyles to provide information to the end user when Defendpoint hasapplied certain behavior that you've defined and need to notify the end-user.

l Custom Tokensl Custom Tokens are used by Workstyles to assign custom privileges to content or applicationgroups.

4.1 - UsersDisconnected users are fully supported by Defendpoint. When receiving policies fromMcAfee ePO, Defendpointautomatically caches all the information required to work offline, so the settings will still be applied if the client isnot connected to the corporate network. Of course, any changes made to the policy will not propagate to thedisconnected computer until theMcAfee Agent re-establishes a connection to the ePOServer.

4.2 - PoliciesDefendpoint policies are applied to one or more endpoints. ThePolicy Summary screen summaries for thenumber of workstyles, application groups, target URL groups, target content groups, messages, tokens andlicenses in the policy. As this is a blank policy, all summaries will be ‘zero’.

Each item summary includes anEdit <Item> button, which allows you to jump to that section of the policy.

Defendpoint incorporates an autosave, autosave recovery and concurrent edit awareness feature to reduce the riskor impact of data loss and prevent multiple users from overwriting individual polices.

A Defendpoint template is a configuration that is merged with your existing policy. A template also consists ofany number of Workstyles, Application Groups, Content Groups, Messages and Custom Tokens.

4.3 - Editing Group PolicyTo edit policy we recommend you use theGroup Policy Management snap-in. Once you have installed theDefendpoint Management Console, the Defendpoint settings are available in the Group Policy Management snap-in. TheGroup Policy Management snap-in can be accessed from theMicrosoft Management Console or GroupPolicy Management editor.


If you want to create local policy to administer your endpoints, you can use the Defendpoint snap-in in theMicrosoft Management Console or the Local Group Policy Editor. This will create a local policy only.

4.4 - Defendpoint SettingsYou can right-click on the Defendpoint Settings node to access the following commands. With the exception of theCommit and Auto Commit these options are also available on the right-hand of the snap-in.

You can click Tools in the right-hand panel to access:l Defendpoint Activity Viewer detailed on page 22l Response Code Generator detailed on page 23

By default Auto Commit Settings is selected. This means any changes made here are saved and applied usinggroup policy. Alternatively, you can clearAuto Commit Settings and select Commit Settingswhen youspecifically want those settings to apply.

The following options are also available:l Create detailed belowl Delete detailed belowl Export detailed on the next pagel Import detailed on the next pagel Import Template detailed on the next pagel Digitally Sign detailed on the next pagel Save Report detailed on the next pagel Set Challenge / Response Shared Key detailed on the next pagel Show Hidden Groups detailed on the next pagel View detailed on page 22

4.4.1 - CreateCreates a new Defendpoint policy. This will delete any existing policy for all operating systems. If you have anexisting policy you are prompted to remove all existing settings when you click Create. Click Yes to delete yourexisting policy and create a new one orNo to keep your existing policy.

4.4.2 - DeleteDeletes your existing Defendpoint policy. You are prompted to remove all existing settings when you click Delete.Click Yes to delete your existing policy orNo to keep your existing policy.

Deleting Items and Conflict ResolutionSome items within the Defendpoint Settings are referenced in other areas, such as application groups, messagesand custom tokens. These items can be deleted at any time, and if they are not being referenced elsewhere, theydelete without any further action required.

When an item is deleted, the Defendpoint Policy Editor will check for any conflicts whichmay need to be resolved.If the item being deleted is already in use elsewhere in your settings, then a conflict will be reported which will needto be resolved.

You can review each detected conflict and observe the automatic resolution which will take place if you proceed. Ifmore than one conflict is reported, use the Next conflict and Previous conflict links tomove between conflicts.


If you want to proceed, click Resolve All to remove the item from the areas of your Defendpoint Settings where it iscurrently in use.

4.4.3 - ExportDefendpoint policies can be imported to and exported from Group Policy as XML files, in a format common to othereditions of Defendpoint such as the Defendpoint ePO Extension. This allows for policies to bemigrated and sharedbetween different deployment mechanisms.

To export a policy, click Export and give the file a name. Click Save.

4.4.4 - ImportDefendpoint policies can be imported to and exported from Group Policy as XML files, in a format common to othereditions of Defendpoint such as the Defendpoint ePO Extension. This allows for policies to bemigrated and sharedbetween different deployment mechanisms.

To import a policy, click Import, navigate to the policy XML you want to import and click Open.

4.4.5 - Import TemplateAllows you to import template policies. See Templates detailed on page 23 for more information. The policiesavailable are:

l QuickStart detailed on page 23l Discovery detailed on page 27l Server Roles detailed on page 28l Trusted App Protection (TAP) detailed on page 28

4.4.6 - Digitally SignYou can digitally sign the Defendpoint settings. The Defendpoint Client can either enforce or audit the loading ofsigned settings. SeeSigning Defendpoint Settings detailed on page 159 for more information.

4.4.7 - Save ReportYou can obtain a report of yourWindows policy which can be saved locally if required.

4.4.8 - Set Challenge / Response Shared KeyThis allows you to set the Challenge / Reponse Shared Key for the policy. This is encrypted once you have set it.This key is then required by the Challenge / Response generator to generate response codes. The only way tochange the Challenge / Response Shared Key is by setting a new one.

4.4.9 - Show Hidden GroupsSome application groups are hidden by default, for example application groups prefixed by '(Default)' in theQuickStart Policy. You can show or hide application groups in Defendpoint.

To show groups that have been hidden by default, right-click on the Defendpoint Settings node and select ShowHidden Groups. You can hide the groups again by clearingShow Hidden Groups.


4.4.10 - ViewThis allows you to view theWorkstyles Editorwhich is the default or theHTML Report detailed below for yourWindows policy.

4.4.11 - LicensingThe Defendpoint Client requires a valid license code to be entered in the Defendpoint Management Console. Ifmultiple Defendpoint policies are applied to an endpoint, you need at least one valid license code for one of thosepolicies.

For example, you could add the Defendpoint license to a Defendpoint policy that is applied to all managedendpoints, even if it doesn't have any Workstyles. This ensures that all endpoints receive a valid Defendpointlicense if they have the Defendpoint client installed. If you are unsure then we recommend that you add a validlicense when you create the Defendpoint policy.

Inserting a License1. Click No License. Click to enter a license code to enter a license if one doesn't already exist orValid

License if you want to enter an additional license code.2. Paste your Defendpoint license code and click Add. The license details are shown.

4.4.12 - HTML ReportThe Defendpoint Settings may be viewed as an HTML report for yourWindows policy only. This report follows thesame style as the GPMC reports.

To show the HTML view:1. Select the Defendpoint Settings node.2. Right-click and select View > HTMLReport.

Defendpoint uses the same style as the GPMC for its HTML reports. You can expand and collapse the varioussections of the HTML report to show or hidemore detailed information.

To return to theWorkstyle Editor view:1. Select the Defendpoint Settings node.2. Right-click and select View > Workstyles Editor.

Youmay also save the HTML report to a file (the HTML view does not have to be displayed to save the HTMLreport).

To save a HTMLReport:1. Select the Defendpoint Settings node.2. Right-click and click Save Report.3. Enter a filename for the report and click Save.

When displaying RSoP (Resultant Set of Policy) results the Defendpoint Settings Policy Editor will default toHTML view, but a read-only Workstyles Editor view may also be displayed.

4.5 - Defendpoint Activity ViewerThe Defendpoint Activity Viewer is an advanced diagnostics tool designed to help identify improvements inDefendpoint workstyles. It allows IT administrators to remotely connect to any Defendpoint Client on the network


and view all recent activity on the desktop.

To access the Defendpoint Activity Viewer:

1. Select Tools from the right-hand panel of the Defendpoint Settings start page.

The Activity Viewer will collect a complete audit of every application that was run on the desktop, and provide adetailed summary of how the Defendpoint Client interacted with those applications, what actions it applied, and therules that it used to determine that action.

The activity is displayed in a rich, detailed, yet simple to use interface that provides every snippet of informationrequired to better understand the workstyles deployed to endpoints, how they affect the applications being run, andrapidly identify unexpected outcomes.

4.6 - Response Code GeneratorThe Response CodeGenerator allows you to generate a response code using the PGChallengeResponseUI utility.

To generate a Response Code from the Defendpoint Settings:1. Click the Tools link from the right-hand panel of the Defendpoint Settings.2. Click Launch Response Code Generator.3. Enter your Shared key and the Challenge code. The response code is shown in green below.

4.7 - TemplatesTemplates can be imported into your Defendpoint settings. You can choose to either merge them into your existingpolicy otherwise the template overwrites your existing policy.

4.7.1 - QuickStartTheQuickStart policy contains Workstyles, Application Groups, Messages and Custom Tokens configured withPrivilegeManagement and Application Control. TheQuickStart policy has been designed from Avecto’sexperiences of implementing the solution across thousands of customers, and is intended to balance security withuser freedom. As every environment is different, Avecto recommends this configuration is thoroughly tested toensure it complies with the requirements of your organization.

This template policy contains the following elements:

Workstylesl General Rulesl High Flexibilityl Medium Flexibilityl Low Flexibility

Application Groupsl Add Admin - General (Business Apps)l Add Admin - General (Windows Functions)l Add Admin - High Flexibilityl Add Admin - Medium Flexibility


l Allow - Approved Standard User Appsl Allow -Whitelisted Functions & Appsl Block - Blacklisted Appsl Control - Restricted Functionsl Control - Restricted Functions (On-Demand)

Messagesl Allow Message (Authentication)l Allow Message (Select Reason)l Allow Message (Support Desk)l Allow Message (Yes / No)l Block Messagel Block Notificationl Notification (Trusted)

Custom Tokensl Avecto Support Token

QuickStart Policy SummaryAvecto Defendpoint’s uniqueQuickStart policy offers a simpler and smarter approach to deployment across yourdesktop and laptop environments. Leveraging data from thousands of deployments over nearly a decade, meansyou can operationalize Defendpoint virtually overnight in order to make quick security gains that can be refined overtime. The unique features in Defendpoint removes the legacy requirement to monitor an administrators applicationbefore taking it away. Defendpoint has the ability to automatically detect these apps as they launch and grant thepermissions needed, with audit trail. This significantly increases the deployment time and accuracy while providingfull protection immediately.

With the QuickStart deployment, you’ll benefit from Defendpoint’s privilegemanagement and application controlcapabilities. With built-in rules already catering to themajority of use cases eliminating all of the unnecessaryapplication events. Exceptions that are detected will handled with customizable messages that replaceWindowsUAC prompts, which are themajor barrier to deploying with Standard User accounts. Out of the box, we providethree simple user workstyles catering to differing flexibility requirements includingmore advanced users likeDevelopers. Users are asked for varying levels of justification, allowing them to continue to work uninterrupted withsignificantly increased security. Any unknown or untrusted applications can be blocked automatically or allowed torun with justifications based on user role.

This accurate user behavioral data, combined with trend analysis, allows us to identify which applications trulyrequire elevated privileges, which are executing from the user’s profile area and which are being installed. This datais then used to build more tailored workstyles that fit your enterprise as you continue to refine your deployment.Ultimately, this means only elevating the applications each user needs, allowing only trusted applications to runand blocking all those that are unknown.

Workstyles

TheQuickStart policy contains four workstyles that should be used together to manage all users in yourorganization.


General Rules

This workstyle contains a set of default rules that apply to all standard users regardless of what level of flexibilitythey need.

The General Rules workstyle contains rules to:l Block any applications that are in theBlock – Blacklisted Apps groupl Allow Avecto Support tools.l Allow standardWindows functions, business applications, and applications installed through trusteddeployment tools to run with admin rights

l Allow approved standard user applications to run passively

High Flexibility

This configuration is designed to apply to users who need an “admin-like” experience, such as Developers, wherethey are able to install any unknown software andmake configuration changes to their system. These are themostdynamic users with varying needs that can never be fully accommodated for.

The High Flexibility workstyle contains rules to:l Allow knownwhite-listed business applications and operating system functions to runl Allow users to run signed applications with admin rightsl Allow users to run unknown applications with admin rights once they have confirmed that the applicationshould be elevated

l Allow applications that are in theAdd Admin – High Flexibility group to run with admin rightsl Allow unknown business application and operating system functions to run on-demand

Medium Flexibility

This configuration is designed to apply to users who are considered “knowledge workers” who expect to have someability to install andmake configuration changes without helpdesk interaction, but most of their job functions arecatered to with their base image. They can’t make system wide changes or run unsigned software withoutauthorization

The Medium Flexibility workstyle contains rules to:l Allow knownwhite-listed business applications and operating system functions to runl Allow users to run signed applications with admin rights once they have confirmed that the applicationshould be elevated

l Prompt users to provide a reason before they can run unknown applications with admin rightsl Allow applications that are in theAdd Admin – Medium Flexibility group to run with admin rightsl Allow unknown business application and operating system functions to run on-demandl Restricted OS functions that require admin rights are prevented and require support interaction

Low Flexibility

These users operate on static endpoints eg, kiosks, and would have very little requirement for new software or tochange a system setting beyond the small list of approved items. Anything outside of their base image or approvedchanges will required a support interaction to proceed.

l Prompt users to contact support if a trusted or untrusted application requests admin rightsl Prompt users to contact support if an unknown application tries to run


l Allow known approved business applications and operating system functions to run

Application Groups

The application groups that are prefixed with "(Default)" or "(Recommended)" are hidden by default and do not needto be altered.

Add Admin – General (Business Apps) – Contains applications that are approved for elevation for all users,regardless of their flexibility level.

Add Admin – General (Windows Functions) – Contains operating system functions that are approved forelevation for all users.

Add Admin – High Flexibility – Contains the applications that require admin rights that should only be providedto the high flexibility users.

Add Admin – Medium Flexibility – Contains the applications that require admin rights that should only beprovided to themedium flexibility users.

Allow – Approved Standard User Apps – Contains applications that are approved for all users.

Block – Blacklisted Apps – This group contains applications that are blocked for all users.

(Default) Any Application – Contains all application types and is used as a catch-all for unknown applications.

(Default) Any Trusted UAC Prompt – Contains signed (trusted ownership) application types that request adminrights.

(Default) Any UAC Prompt – This group contains applications types that request admin rights.

(Default) Avecto Tools – This group is used to provide access to an Avecto executable that collects Defendpointtroubleshooting information.

(Default) Controlled OS Functions – Contains operating system applications and consoles that are used forsystem administration.

(Default) Software Deployment Tool Installs – Contains applications that can be installed by deployment toolssuch as SCCM (System Center ConfigurationManager).

(Default) Whitelisted Functions & Apps – Contains trusted applications, tasks and scripts that should executeas a standard user.

(Recommended) Restricted Functions - This group contains OS applications and consoles that are used forsystem administration and trigger UAC when they are executed.

(Recommended) Restricted Functions (On Demand) - This group contains OS applications and consoles thatare used for system administration.


Messages

The followingmessages are created as part of the QuickStart policy and are used by some of the application rules:

Allow Message (Authentication) – Asks the user to provide a reason and enter their password before theapplication runs with admin rights.

Allow Message (Select Reason) – Asks the user to select a reason from a drop-downmenu before the applicationruns with admin rights.

Allow Message (Support Desk) – Presents the user with a challenge code and asks them to obtain authorizationfrom the support desk. Support can either provide a response code or a designated, authorized user can enter theirlogin details to approve the request.

Allow Message (Yes / No) – Asks the user to confirm that they want to proceed to run an application with adminrights.

Block Message –Warns the user that an application has been blocked.

Block Notification – Notifies the user that an application has been blocked and submitted for analysis.

Notification (Trusted) – Notifies the user that an application has been trusted.

Custom Token

A custom token is created as part of the QuickStart policy. The custom token is calledAvecto Support Tokenand is only used to ensure that an authorized user can gain access to Defendpoint troubleshooting information.

We do not recommend using theAvecto Support Token for any other application rules in your workstyles.

Customizing the QuickStart PolicyBefore deploying the QuickStart policy to your users, you need tomake some company-specific customizations tothe standard template.

As a minimum you need to:l Configure the users or groups that can authorize requests that trigger messages.l Assign users and groups to the high, medium and low flexibility workstyles.l Populate the 'Block Blacklist Apps' application group with any applications that you want to block for allusers.

4.7.2 - DiscoveryThe Discovery policy contains Workstyles, Application Groups andMessages to allow the discovery ofapplications that need administrative privileges to execute. This must be applied to administrator users andincludes a pre-configured exclusion group (false positives) maintained by Avecto.

This template policy contains the following configurations:

Workstylesl Discovery Workstyle

Application Groups


l (Default Rule) Any Applicationl (Default Rule) Any UAC Promptsl Approved Standard User Appsl Whitelisted Functions & Apps

MessagesAllow Message (Yes / No)

4.7.3 - Server RolesThe Server Roles policy contains Workstyles, Application Groups and Content Groups tomanage different serverroles such as DHCP, DNS, IIS, and Print Servers.

This template policy contains the following elements:

Workstylesl Server Role - Active Directory - Templatel Server Role - DHCP - Templatel Server Role - DNS - Templatel Server Role - File Services - Templatel Server Role - Hyper V - Templatel Server Role - IIS - Templatel Server Role - Print Services - Templatel Server Role -Windows General - Template

Application Groupsl Server Role - Active Directory - Server 2008R2l Server Role - DHCP - Server 2008R2l Server Role - DNS - Server 2008R2l Server Role - File Services - Server 2008R2l Server Role - General Tasks - Server 2008R2l Server Role - Hyper V - Server 2008R2l Server Role - IIS - Server 2008R2l Server Role - Print Services - Server 2008R2

Content Groupsl AD Managementl Hosts Managementl IIS Managementl Printer Managementl Public Desktop

4.7.4 - Trusted App Protection (TAP)The Trusted App Protection (TAP) policies containWorkstyles, Application Groups andMessages to offer anadditional layer of protection against malware for trusted business applications, safeguarding them fromexploitation attempts.


The TAP policies apply greater protection to key business applications includingMicrosoft Office, Adobe Readerand web browsers, which are often exploited by malicious content. It works by preventing these applications fromlaunching unknown payloads and potentially risky applications such as PowerShell. It also offers protection bypreventing untrusted DLLs being loaded by these applications, another commonmalware technique.

In our research we discovered that malware attack chains commonly seek to drop and launch an executable orabuse a nativeWindows application such as PowerShell. Using a TAP policy prevents these attacks andcompliments existing anti-malware technologies by preventing an attack from launching without relying ondetection or reputation.

The Trusted Application Protection policy you have chosen is inserted at the top of the workstyles so it is, bydefault, the first workstyle to be evaluated. Once a workstyle action has been triggered, subsequent workstylesaren't evaluated for that process.

Workstylesl Trusted Application Protection - High Flexibility (depends on the TAP policy you have chosen)l Trusted Application Protection - High Security (depends on the TAP policy you have chosen)

Application Groupsl Browsersl Browsers - Trusted Exploitablesl Browsers - Untrusted child processesl Content Handlersl Content Handlers - Trusted Exploitablesl Content Handlers - Untrusted child processes

Content Handlers are used to hold content rather than executables.

Messagesl Block Message

Trusted Application Protection Policies SummaryThe TAP policies allow you to control the child processes which TAP applications can run.

There are two policies to choose from:l High Flexibilityl High Security

You should choose the High Flexibility policy if you have users who need the ability to download and install/updatesoftware. You should choose the High Security policy if your users don't need to download and install/updatesoftware.

The High Security policy checks that all child processes either have a trusted publisher, a trusted owner, a sourceURL, or an Avecto Zone Identifier tag whereas the High Flexibility policy only validates the immediate childprocesses allowing a wider range installers to run1. If child processes don't have any of these four criteria, they are

1Installers that spawn additional child processes are blocked by the TAP (High Security) policy if those child processesare using applications that are on the TAP blacklist, see Trusted Application Protection Blacklist detailed on page 157,but would be allowed to run using the TAP (High Flexibility) policy.


blocked from execution. Known exploits are also blocked by both TAP policies, see Trusted ApplicationProtection Blacklist detailed on page 157 for more information.

Trusted Publisherl A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date and notrevoked.

Trusted Ownerl A trusted owner is any owner that is in the default Windows groups 'Administrators', 'SystemUser' or'TrustedInstaller'.

SourceURLl The source URL must be present. This is specific to browsers.

Avecto Zone Identifier tagl The Avecto Zone Identifier tagmust be present. This is applied when the browser applies an ADS (AlternateData Stream) tag. This is specific to browsers.

In addition, all processes on the blacklist are blocked irrespective of their publisher and owner. See TrustedApplication Protection Blacklist detailed on page 157 for a list of blacklisted processes.

The TAP policy template affects the following applications:l Microsoft Wordl Microsoft Excell Microsoft PowerPointl Microsoft Publisherl Adobe Reader 11 and lowerl Adobe Reader DCl Microsoft Outlookl Google Chromel Mozilla Firefoxl Microsoft Internet Explorerl Microsoft Edge

TAP Applications and their child processesmust match all the criteriawithin the definitions provided in theApplication Groups of the policy for the TAP policy to apply.

You can configure TAP process control by importing the TAP template. TAP also has Enterprise Reporting, seeTrusted Application Protection Reporting detailed on page 32.

Trusted Application Protection PrecedenceThe TAP workstyle you choose is placed at the top of your list of workstyles when you import the policy template.This is because it runs best as a priority rule. This ensures that child processes of TAP applications (policydependent) that do not have a trusted publisher, trusted owner, a source URL, or an Avecto Zone Identifier tag areblocked from execution and that known exploits are blocked.

The Trusted Application Protection workstyle is the first to be evaluated by default. Once a workstyle action hasbeen triggered, subsequent workstyles aren't evaluated for that process.


Modifying the Trusted Application Protection PoliciesBoth the TAP policies (High Flexibility and High Security) protect against a broad range of attack vectors. Theapproaches listed here can be used in either TAP policy if you need tomodify the TAP policy to address a specificuse case that is being blocked by a TAP policy.

The TAP (High Security) policy is, by design, more secure and less flexible as it blocks all child processes of aTrusted Application that do not have a trusted owner, trusted publisher, source URL or Avecto Zone Identifier so itis thereforemore likely to require modification.

The TAP policy that you choose should be based on your business requirements and existing policy. If using a TAPpolicy causes a legitimate use case to be blocked, there are some actions you can take to resolve this.

Change the Policy to Passive and Audit

You can change the TAP (High Security) policy Application Rules Action to 'Allow Execution' and change theAccess Token to 'Passive (No Change)'. EnsureRaise an Event is set to 'On' and click OK.

Changing the TAP policy to 'Allow Execution' effectively disables it. You will not get any protection from aTAP policy if youmake this change.

If youmake this change for the four Application Rules in the TAP (High Security) policy, TAP programs will be ableto execute as if the TAP (High Security) policy wasn't applied but you can see what events are being triggered byTAP andmake policy adjustments accordingly.

The event details include information on the Application Group and TAP application. This allows you to gatherdetails to understand if it's a legitimate use case. You can perform some actions to incorporate the legitimate usecase into the TAP (High Security) policy.

l Use the High Flexibility Policy detailed belowl Edit the Matching Criteria detailed belowl Edit the Trusted Exploitable List detailed on the next pagel Remove Application from Trusted Application Group detailed on the next pagel Create an Allow Rule detailed on the next page

Use the High Flexibility Policy

Both the TAP policies offer additional protection against a wide range of attack vectors. If you are using the TAP (High Security) policy you can change to the TAP (High Flexibility) policy. This is useful if you have a use casewhere additional child processes of TAP applications are being blocked by the TAP (High Security) policy.

Edit the Matching Criteria

If your legitimate use case is running a specific command that is detailed in the event you can add this to thematching criteria of the Application that's being blocked. You can use the standard Defendpoint matching criteriasuch as 'Exact Match' or 'Regular Expressions'.

ExampleWebex uses an extension from Google Chrome. Avecto have catered for this in the policy usingmatching criteria.

This criteria says:


If the Parent Process matches the (TAP) High Security - Browsers application group for any parent in the tree.andThe Product Description contains the string 'Windows Command Processor'andThe Command Line does NOT contain '\\.\pipe\chrome.nativeMessaging'

The TAP policy (High Security) will block the process.

Edit the Trusted Exploitable List

If your legitimate use case is using an application that is listed on either the 'Browsers - Trusted Exploitables' or the'Content Handlers - Trusted Exploitables' list, you can remove it.

If you remove it from either list, any browsers or content that use that trusted exploitable to runmalicious contentwon't be stopped by the TAP (High Security) policy.

Remove Application from Trusted Application Group

You can remove the application that is listed in the Trusted Browsers or Trusted Content Handlers groups from thelist. This will mean that application no longer benefits from the protection offered by either of the TAP policies.

Create an Allow Rule

You can also add a Defendpoint Allow Rule and place it higher in the precedence order than the TAP (HighSecurity) policy. This will allow your use case to run but, it also overrides any subsequent rules that apply to thatapplication so it should be used with caution.

Trusted Application Protection ReportingTrusted Application Protection (TAP) is reported in Enterprise Reporting. You can use the top level TAP dashboardto view the TAP incidents over the time period, split by type of TAP application. In the same dashboard you canalso see the number of incidents, targets, users and hosts for each TAP application.


Chapter 5 - Defendpoint Policies forWindowsA Defendpoint policy forWindows is built up with the following optional components:

l Workstyles detailed on the next pagel A workstyle is part of a policy. It's used to assign application rules for users. You can createworkstyles using theWorkStyleWizard or import them.

l Application Groups detailed on page 51l Application Groups are used by Workstyles to group applications together to apply certainDefendpoint behavior.

l Content Groups detailed on page 71l Content groups are used by Workstyles to group content together to apply certain Defendpointbehavior.

l Messages detailed on page 73l Messages are used by Workstyles to provide information to the end user when Defendpoint hasapplied certain behavior that you've defined and need to notify the end-user.

l Custom Tokens detailed on page 86l Custom Tokens are used by Workstyles to assign custom privileges to content or applicationgroups.

Avecto] have produced a pre-built QuickStart policy that is configured with PrivilegeManagement and ApplicationControl. For more information on the Avecto Quick Start policy, seeQuickStart Policy Summary detailed onpage 24.

5.1 - Policy AdministrationYou can import pre-built Defendpoint policies, see Import Template detailed on page 21 for more information ontemplate policies.

5.1.1 - Advanced Agent SettingsThe Advanced Agent Settings section allows you to configure and deploy additional registry based settings toDefendpoint Clients.

1. Right-click the top level Defendpoint Settings node and click Advanced Agent Settings.2. Select either 32-bit Agent Values if you want to configure a 32-bit registry setting, or 64-bit Agent Values for

a 64-bit registry setting.3. Click Add Value. A new line is added to the advanced agent settings list.4. Double-click the 'Value Name' for the new setting, and enter the value name.5. Choose the correct Type, either 'DWORD', 'String' or 'Multi-String'.6. Double-click the 'Value Data' for the new setting, and enter the value data. For DWORD values, you can

toggle the display type between Hexadecimal and Decimal.7. Click OK to save your changes.


Each advanced agent setting adheres to Group Policy precedence rules. If advanced agent settings areconfigured inmultiple Group Policies, then the Group Policy with the highest precedence will be applied(except for multi-string settings, which will bemerged and consolidated by the Defendpoint Client).

Advanced Agent Settings should only be used when instructed to do so by Avecto Support.

5.1.2 - Advanced Policy Editor SettingsSandboxing settings are always available for you to configure if your policy has sandboxing in it. If you would like toconfigure sandboxing for your policy but it doesn't yet contain sandboxing, please follow these instructions.

Configuring Sandboxing Settings1. Right-click on theWindows node and click Advanced Policy Editor Settings. The Advanced Policy Editor

Settings dialog box appears.2. Click the Show Sandboxing Settings check box. This allows you to subsequently configure sandboxing in

Defendpoint.

All of the sandboxing settings, such as URL groups, are now visible in the interface. Features relating toSandboxing are documented in the Sandboxing Guide for ease of use.

5.2 - WorkstylesDefendpoint workstyles are used to assignApplication Groups detailed on page 51 for a specific user, or group ofusers. TheWorkstyle wizard can generate Application Rules depending on the type of Workstyle you choose. SeeCreating Workstyles detailed on page 36 for more information.


5.2.1 - Workstyle PropertiesTo edit the advanced properties for a workstyle:

1. Expand theWorkstyles node and select the relevant workstyle.2. Right-click and select Edit Workstyle Options.

Privilege MonitoringDefendpoint has the ability to monitor the behavior of specific privileged applications and processes inWindows, afeature called privilegemonitoring. Privilegemonitoring is enabled as an auditing option in the properties of anapplication rule or an on-demand application rule. When enabled, Defendpoint records all privileged operationsperformed by the application or process that would fail under a standard user account. These include fileoperations, registry operations, and any interactions with other components such as Windows services.

The applicationmust be running under a privileged account, such as an administrator or power user. Alternativelyan application could be running with elevated privileges because you have added it to theApplication Rules orOn-Demand Application Rules section of the workstyle and assigned it to run with admin rights.

Privilegemonitoring logs are recorded on each endpoint, and the logs can be accessed using the DefendpointReportingMMC snap-in. The configuration of privilegemonitoring logs is applied to each workstyle.


Formore information about privilegemonitoring contact your Avecto consultant.

Privilege Monitoring Events

Log Monitoring Event to Application Event Log – This option will log an event to the application event log, thefirst time an application performs a privileged operation.

Log Cancel Events (when user cancels message) – This option will raise an event when a user cancels anEndUser Message, either by clicking theCancel button, Email button, or clicking aHyperlink. The action performedby the user is available as aPolicy Parameter [PG_ACTION], which can be used by the script to perform differentaudit actions based on the user interaction.

Privilege Monitoring Log Files

The followingPrivilege Monitoring options are available:

l Log Application Activity to Log Files – This option will enable logging of privileged activity to log files.The activity level can be set with the activity slider.

l Application Summary and Activity – This option logs information about the application and uniqueprivileged activity (Default option).

l Application Summary and Detailed Activity – This options logs information about the application and allprivileged activity.

l Maximum Activity Records Per Process – This option determines themaximum number of records thatwill be recorded per process (Default 100).

l Keep Application Activity Logs for – This option determines how long activity logs are kept before theywill be purged (Default 14 days).

5.2.2 - Creating Workstyles1. Navigate to theWindows > Workstyles node.2. Right-click theWorkstyles node and then click Create Workstyle on the top-right. The workstyle wizard is

displayed.3. You can optionally enter a license code at this stage or you can enter it later once the workstyle has been

created.4. You can choose from 'Controlling' or 'Blank' for your workstyle. A controlling workstyle allows you to apply

rules for access to privileges and applications. A blank workstyle allows you to create an empty workstylewithout any predefined elements .If you selected a blank workstyle the next screen is Finish as there isnothing to configure.

5. Filtering (Controlling workstyle only). This determines who will receive this workstyle. You can choosefrom Standard users only or everyone. If you apply it to everyone it will apply to Administrators. You canmodify the filters and apply more detailed filtering once the workstyle has been created.

6. Capabilities (Controlling workstyle only). Allows you to choose PrivilegeManagement and / or ApplicationControl. If you don't select either capabilities the next screen is Finish. This workstyle would only containfiltering information.

7. Privilege Management (Controlling workstyle with the PrivilegeManagement capability). Allows you tochoose:

l if you want to display a notification to the user when applications are elevated by Defendpoint.l how you want to manageWindows User Account Control (UAC) prompts.l if you want to allow the on-demand elevation of applications.


If you select 'Present users with a challenge code' from the drop-down you are prompted to configurethe Challenge and Response functionality at the end of creating your workstyle if your policy doesn'talready have one.

8. Application Control (Controlling workstyle with the Application Control capability). Allows you to choose:l how you want to apply application control. You can choose from awhitelist or blacklist approach. Werecommend you use a whitelist approach.

l if you selected 'As a whitelist' - How you want to handle non-whitelisted applications.l if you selected 'As a blacklist' - How you want to handle blacklisted applications.

9. Finish. Allows you to enter a Name and Description for your new policy. If the workstyle has beenconfigured to use a Challenge / Responsemessage and the policy doesn't have an existing key, you will beasked to set a key. SeeChallenge / Response Authorization detailed on page 81 for more information.You can select the check box on this screen to activate this workstyle immediately or you can leave thecheck box cleared to continue to configure the workstyle before you apply it to your endpoints.

Depending on the type of workstyle you created and any capabilities that have been included, Defendpoint willauto-generate certainApplication Groups detailed on page 51 (containing rules), Content Groups detailed onpage 71,Messages detailed on page 73 andCustom Tokens detailed on page 86. Filters are applied andsubsequently configured as part of the workstyle.

Disabling / Enabling WorkstylesYou can enable or disable workstyles to stop them being processed by the Defendpoint Client.

To enable / disable a workstyle:1. Navigate to the policy and select theWorkstyles node. You can see which policies are disabled and

enabled in the list.2. Right-click on the workstyle and click Disable Workstyle to disable it orEnable Workstyle to enable it

In the above example, the General Rules workstyle is enabled and the High Flexibility workstyle is disabled.

Workstyle PrecedenceIf you havemultiple workstyles they are evaluated in the order that they are listed in. Workstyles that are higher inthe list have a higher precedence. Once an applicationmatches a workstyle, no further workstyles are processed


for that application, so it is important that you order your workstyles correctly because an application couldmatchmore than one workstyle.

To change the precedence of a workstyle:1. SelectWindows > Workstyles from the left-hand pane.2. Right-click and choose from the options;Move Top,Move Up,Move Down,Move Bottom as required.

Changes are automatically saved.

5.2.3 - Workstyle SummaryTheWorkstyle Summary shows you, at a glance, and allows you to configure the following elements of aworkstyle. It is split into these tabs across the top:

Some of these tabs may not be displayed if they've not been configured in your policy.

l Overview detailed belowl Application Rules detailed on the next pagel On-Demand Application Rules detailed on page 40l Content Rules detailed on page 43l General Rules detailed on page 46l Filters detailed on page 48

5.2.4 - OverviewTheOverview tab allows you to quickly access the following features of your policy:

l Generall Allows you to edit the description of your workstyle and enable or disable it.

l Totalsl Allows you to configure the following types of rule:

l Application Rules detailed on the next pagel On-Demand Application Rules detailed on page 40l Content Rules detailed on page 43

l Trusted Application Protectionl Allows you to configure the following type of rule:

l Trusted Application DLL Protection detailed on page 44

l General Rulesl Allows you to configure the following General Rules:

l Allow the User to Unlock a Shared Workstation detailed on page 46l Collect User Information detailed on page 46l Collect Host Information detailed on page 47l Prohibit Privileged Account Management detailed on page 47l Enable Windows Remote Management Connections detailed on page 48


l Filtersl Allows you to configure the following Filters:

l Account Filters detailed on page 49l Computer Filters detailed on page 49l Time Range Filters detailed on page 50l Expiry Filter detailed on page 50l WMI (Windows Management information) Filters detailed on page 51

5.2.5 - Application RulesApplication rules are applied toApplication Groups detailed on page 51. Application rules can be used to enforcewhitelisting, monitoring and assigning privileges to groups of applications. They are a set of rules that apply to theapplications listed in the application group.

You need an Application Group before you can create an Application Rule, seeCreating Application Groupsdetailed on page 52.

Inserting an Application Rule1. Click Application Rules to view, create or modify the following for each application rule:

Option DescriptionTarget Application Group Select from theApplication Groups detailed on page 51

list.

Action Select from 'Allow Execution' or 'Block Execution'. This iswhat will happen if the application in the targetedapplication group is launched by the end-user.

End User Message Select if a message will be displayed to the user whenthey launch the application. Messages are recommendedif you're blocking the execution of the application so theend user has some feedback on why the applicationdoesn't launch.


Option DescriptionAccess Token Select the type of token to be passed to be used for the

target application group. You can select from:

Passive (no change) - doesn't make any change to theuser's token. This is essentially an audit feature.

Enforce User's default rights - removes all rights and usesthe user's default token. Windows UAC always tries toadd administration rights to the token being used so if theuser clicked on a application that triggers UAC, the userwould not be able to progress past the UAC prompt.

Drop Admin Rights - removes administration rights fromthe user's token.

Add Admin Rights - adds administration rights to theuser's token.

See https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374909(v=vs.85).aspx formore information on access tokens.

Auditing

Raise an Event Whether or not you want an event to be raised if thisapplication rule is triggered. This will forward to the localevent log file.

Run a Script You can choose to run a script if an event is raised.

PrivilegeMonitoring Raises a privilegedmonitoring event.

McAfee ePOReporting Options

This option is only available if you selected theMcAfee integration check box when you installed theDefendpoint Management Console.

ePOQueries and Reports Select this option to raise an ePO Threat event. These areseparate from Defendpoint reporting events.

Avecto Reporting (in ePO) Select this option to raise a Defendpoint Reporting event.These are available in Avecto Reporting.

Application Rule PrecedenceIf you addmore than one application rule to a workstyle, then entries that are higher in the list will have a higherprecedence. Once an applicationmatches an application rule, no further rules or workstyles will be processed. If anapplication couldmatchmore than one workstyle or rule, then it is important that you order both your workstylesand rules correctly. You canmove application rules up and down to change the precedence.

5.2.6 - On-Demand Application RulesTheOn-Demand Application Rules tab of the workstyle allows you create rules to launch applications withspecific privileges (usually admin rights), on-demand from a right-click Windows context menu.


https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374909(v=vs.85).aspx


Enabling and Configuring On-Demand IntegrationTo enable on-demand application rules, select theOn-Demand Application Rulesworkstyle tab. The first checkbox applies to all versions of Windows that have theRun as administrator option. The second two check boxesapply to the Classic Windows Shell only. They do not apply to theWindows Modern UI that is available inWindows 8 andWindows 10.

Windows Modern UIIf an On-Demand application rule is triggered, Defendpoint references the check box labeledApply the on-demand application rules to the “Run as administrator”. If the check box is selected, Defendpoint interceptstheRun as administrator option in the right-click context menu and overrides it. The labeling of the optiondoesn’t change in this instance. If the check box is cleared, Defendpoint does not intercept the option toRun asAdministrator.

Defendpoint also references the check box labeledHide “Run as” and “Run as administrator” commands inthe Classic Shell context menu. If it is selected, these options, where present, are hidden from the right-clickcontext menu. Defendpoint does not continue process additional application rules.

Windows Classic ShellIf an On-Demand application rule is triggered, Defendpoint references the check box in the Classic Shell ContextMenuOptions section labeledApply custom on-demand option to the Classic Shell context menu (thiswon’t affect the “Run as administrator” option). If the check box is selected, Defendpoint adds a new option tothe right-click context menu that you have configured in theClassic Shell Context Menu Option section, forexample 'Run with Defendpoint'.

Defendpoint also references the check box labeledHide “Run as” and “Run as administrator” commands inthe Classic Shell context menu. If it is selected, these options, where present, are hidden from the right-clickcontext menu. Defendpoint does not continue to process additional application rules.

Unlike Application rules, the On-Demand rules list will only receive the assigned privileges if the userlaunches a relevant application using the context menu.


Managing LanguagesThemenu option that is displayed can be configured for multiple languages. Defendpoint will detect the regionallanguage of the end user, and if a message in that language has been configured, the correct translation will bedisplayed.

To add a new menu option translation:

1. In theOn-Demand Application rules click theAdd Language button.2. TheAdd Language dialog box appears. Select the correct language and then click OK.3. A new text box for the selected language appears.4. Enter your own translation for the selected language and click Save in the left-hand pane.

If a language cannot bematched for the region of the end user, then the default language will be displayed. Tochange the default language, select the desired language and click Set As Default.

Creating an On-Demand RuleOn-Demand rules are not checked by Defendpoint unless you have enabled them in the top section, seeEnablingand Configuring On-Demand Integration detailed on the previous page for more information.

1. Right-click and select Insert Application Rule to view, create or modify the following for each on-demandapplication rule:


list.











Auditing








5.2.7 - Content RulesContent rules define the actions Defendpoint takes when content, such as a file, is launched by the user.

You need an Content Group before you can create an Content Rule, seeContent Groups detailed on page 71.

Insert a Content Rule1. Click Content Rules to view, create or modify the following for each application rule:




Option DescriptionTarget Content Group Select from theContent Groups detailed on page 71 list.Action Select from 'Allow Modification' or 'Block Access'. This is

what will happen if the user tries to access the content.

End User Message Select if a message will be displayed to the user when thytry to access the content. Messages are recommended ifyou're blocking content from being accessed so the enduser has some feedback.

Access Token Select the type of token to be passed to be used for thetarget application group. You can select from:






Auditing

Raise an Event Whether or not you want an event to be raised if theTAP application tries to run a DLL. This will forward to thelocal event log file.






5.2.8 - Trusted Application DLL ProtectionDefendpoint can dynamically evaluate DLLs for trusted applications for each workstyle. The first workstyle to haveDLL Control 'Enabled' or 'Disabled' causes any configuration of DLL Control in subsequent workstyles to be




ignored.

Unless a DLL has a trusted publisher and a trusted owner, it is not allowed to run within the TAP application.

Trusted Publisherl A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date and notrevoked.

Trusted Ownerl A trusted owner is any owner that is in the default Windows groups 'Administrators', 'SystemUser' or'TrustedInstaller'.

TAP DLL control affects the following applications:l Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, Adobe Reader 11 and lower,Adobe Reader DC, Microsoft Outlook, Google Chrome, Mozilla Firefox, Microsoft Internet Explorer,Microsoft Edge

You can turn on themonitoring of DLLs for TAP applications in any workstyle. However, the first workstyle to haveDLL Control 'Enabled' or 'Disabled' causes any configuration of DLL Control in subsequent workstyles to beignored.

Configure Trusted Application DLL Protection1. Click Trusted Application DLL Protection enabled, click to Configure to administer how DLLs are

handled for TAP applications.

Option DescriptionTrusted Application Protection (DLL) Select 'Enabled', 'Disabled' or 'Not Configured' from the

drop-down. The first workstyle to be evaluated that hasDLL Control 'Enabled 'or 'Disabled ' is matched byDefendpoint meaning subsequent workstyles are notevaluated by Defendpoint.

Action Select from 'Allow Execution' or 'Block Execution'. This iswhat will happen if the DLL in the TAP application tries torun.

End User Message Select if a message will be displayed to the user when theDLL tries to run (regardless of it's allowed to run).Messages are recommended if you're blocking a DLL fromrunning so the end user has some feedback.

Auditing

Raise an Event Whether or not you want an event to be raised if theTAP application tries to run a DLL. This will forward to thelocal event log file.


ePO Threat Events Select this option to raise an ePO Threat event. These areseparate from Defendpoint reporting events.

Defendpoint Reporting Events Select this option to raise a Defendpoint Reporting event.These are available in Avecto Reporting.

Exclusions


Option DescriptionExclude DLLs from Rule Enter DLLs here that you want to exclude from DLL

Control for TAP Applications. These are DLLs have eitheran untrusted owner or an untrusted publisher, but you stillwant to be allowed to run with DLL Control for TAPenabled in the workstyle. This list of DLLs is not validated.If the DLL name listed isn't matched by the client thennothing will be excluded.

Third party applications may give error messages that aren't immediately clear to the end-user when a DLL isblocked from running in a TAP application by Defendpoint.

5.2.9 - General Rules1. To view or edit the General Rules of aWorkstyle select Windows > Workstyles > 'Workstyle Name' >

General Rules from the policy tree.

Allow the User to Unlock a Shared WorkstationThis feature adds the ability for IT to grant a privilege to specific users that will allow them to ‘unlock’ aWindowsXP desktop, which is currently logged in as another user.

This feature of Windows is only available onWindows XP, and only for domain joinedmachines. In principle, if auser has logged into a desktop and locked the desktop, then only that user or another user with administrativerights has the ability to ‘unlock’ the desktop. When the desktop is ‘unlocked by another user’, the currently loggedon user session is forcibly logged off, and the desktop returns to the CTRL+ALT+DEL logon screen.

The option will be a group Policy style tri-state option. The three options are:

l Enabled- The privilege will be enabled for the user, and the agent will stop evaluating further policiesl Not Configured- The policy will be ignored, and the agent will evaluate the next matching policyl Disabled- The privilege will be removed from the user, and the agent will stop evaluating further policies

The default setting for a new policy will be Ignore.

Collect User InformationThis rule, when enabled will raise an audit event each time a user logs on to the client machine. The audit event willcollect the following information which is reported through the Enterprise Reporting pack:

l Logon Time – The date and time the user logged on.l Is Administrator – The client will check whether the user account has been granted local administrator rightseither directly or through groupmembership.

l Session Type – The type of logon session, for example, console, RDP, ICA.l Session Locale – The regional settings of the user session / profilel Logon Client Session Hostname – The hostname of the client the user is logging on from. This will either bethe local computer (for Console sessions) or the remote device name (for remote sessions).

l Logon Client Session IP Address – The IP address of the client the user is logging on from. This will eitherbe the local computer (for console sessions) or the remote device name (for remote sessions).


Formore information on user information reporting, refer to the AvectoDefendpoint Reporting guides.

Collect Host InformationThis rule, when enabled will raise an audit event on computer start-up or when the Defendpoint Client service isstarted. The audit event will collect the following information which is reported through the Enterprise Reportingpack:

l Instance ID – A unique reference identifying a specific service start event.l OS Version – The name and version of the operating system, including service pack.l Chassis Type – The type of chassis of the client, for example, workstation, mobile, server, VM.l Language – The default system language.l Location – The current region and time zone of the device.l Client Version – The version of the Defendpoint Client.l Client Settings – The type of installation and current settings of the Defendpoint Client.l System Uptime – Time since the computer booted.l Unexpected Service Start - Only added if the service has unexpectedly started (that is, a previous start wasnot proceeded by a service stop).

An additional event will be raised when the computer shuts down, or when the Defendpoint Client service isstopped:

l Instance ID – A unique reference identifying the last service start event.l Computer Shutdown – Value identifying whether the service stopped as part of a computer shutdown event.

This option is only available in policies set under the Computer Configuration Group policy.

For more information on computer information reporting, refer to the Avecto Defendpoint Reporting guides.

Prohibit Privileged Account ManagementThis rule, when enabled, blocks users frommodifying local privileged groupmemberships. This prevents realadministrators, or applications which have been granted administrative rights through Defendpoint from addingAND/OR removing AND/OR modifying a privileged account.

The list of local privileged groups that are prohibited frommodification when this rule is enabled is:l Built-in administratorsl Power usersl Account operatorsl Server operatorsl Printer operatorsl Backup operatorsl RAS servers groupl Network configuration operators

This rule provides three options:l Not Configured – This workstyle will be ignored.l Enabled – The user will not be able to add, remove or modify user accounts in local privileged groups.l Disabled – Default behavior based on the users rights or those of the application.


Enable Windows Remote Management ConnectionsThis rule, when enabled, authorizes standard users whomatch the workstyle to connect to a computer remotely viaWinRM, which would normally require local administrator rights. This general rule supports remote PowerShellcommandmanagement, andmust be enabled in order to allow a standard user to execute PowerShell scriptsand/or commands.

See Inserting Remote PowerShell Commands detailed on page 65 for more information on configuring remotePowerShell.

In order to allow remote network connections, youmay be required to enable theWindows Group Policy settingaccess this computer from the network. For more information, see: http://technet.microsoft.com/en-us/library/cc740196(v=WS.10).aspx.

5.2.10 - Filters1. To view or edit the general properties of aWorkstyle select Windows > Workstyles > 'Workstyle Name' >

Filters from the policy tree. The Filters section is last in the list on the right.

The Filters tab of a workstyle can be used to further refine when a workstyle will actually be applied.

By default, a workstyle will apply to all users/computers who receive it. However, you can add one or more filtersthat will restrict the application of the workstyle:

l Account Filter – This filter restricts the workstyle to specific users or groups of users.l Computer Filter – This filter will restrict the workstyle to specific computers (names or IP addresses), orRemote Desktop clients.

l Time Filter – This filter will restrict the workstyle to being applied at particular days of the week and times ofthe day.

l Expiry Filter – This filter will expire a workstyle at a set date and time.l WMI Filter – This filter will restrict the workstyle based on the success or failure of aWMI query.

If you want the workstyle to apply only if all filters match, select the optionALL filters must match from the drop-downmenu. If you want the workstyle to apply when any filter matches, select the optionANY filter can matchfrom the drop-downmenu.


http://technet.microsoft.com/en-us/library/cc740196(v=WS.10).aspx

http://technet.microsoft.com/en-us/library/cc740196(v=WS.10).aspx

Filters can also be configured to apply if there are nomatches. This is referred to as an ‘exclude’ filter. To set anexclude filter, right-click the filter and check the optionApply this filter if it does NOT match. (This does notapply to Time and Expiry filters.)

Time filters and Expiry filters can only be used once in a workstyle.

Account FiltersAccount filters specify the users and groups the workstyle will be applied to.

When a new workstyle is created, a default account filter will be added to target eitherStandard users only,orEveryone (including administrators), depending on your selection in the workstyle wizard.

Configure Account Filters

1. On the Filter tab click Add a filter.2. Click Add an Account Filter > Add a new account.3. TheSelect Users or Groups dialog box appears.4. Enter the relevant group or user accounts and click Check Names to validate the names or alternatively

click Advanced to browse for groups and users.5. Click OK to save your changes.

Domain and well known accounts will display a Security Identifier (SID). The SID will be used by the DefendpointClient, which will avoid account lookup operations. For local accounts the namewill be used by the DefendpointClient, and the SID will be looked up when the workstyle is loaded by the client. Local Account will appear in theSID column of the accounts list for local accounts.

By default, an account filter will apply if any of the user or group accounts in the list match the user. If you havespecifiedmultiple user and group accounts within one account filter, and want to apply the workstyle only if allentries in the account filter match, then check the option All items below shouldmatch.

You can addmore than one account filter if you want the user to be amember of more than one group of accountsfor the workstyle to be applied.

If an account filter is added, but no user or group accounts are specified, a warning will be displayed advising Noaccounts added, and the account filter will be ignored.

If All items below should match is enabled, and you havemore than one user account listed, theworkstyle will never apply as the user cannot match two different user accounts.

Computer FiltersA computer filter can be used to target specific computers and remote desktop clients. You can specify a computerusing either its host / DNS name, or by an IP address.

To restrict the workstyle to specific computers by IP address:1. Select the Filters tab and click Add a new filter.2. Click Add a Computer Filter > Add a new IP rule. TheAdd IP rule dialog box appears.3. Enter the IP address manually, in the format 123.123.123.123.4. Click Add.


If the computer filter is intended for matching the IP address of remote computers using remote desktopsessions, check the optionMatch the remote desktop (instead of the local computer)

You can also use the wildcard * in any octet to include all addresses in that octet range, for example192.168.*.*. Alternatively, you can specify a particular range for any octet, for example 192.168.0.0-254.Wildcards and ranges can be used in the same IP Address, but not in the same octet.

To restrict the workstyle to specific computers by hostname:1. Select the Filters tab and click Add a Filter.2. Click Add a Computer Filter > Add a new hostname rule. The Add hostname rule dialog box appears.3. Enter one or more hostnames, separated by semicolons, or alternatively browse for one or more computers.

You can use the * and ? wildcard characters in hostnames.4. Click Add.5. If the computer filter is intended for matching the hostname of remote computers using remote desktop

sessions, check the optionMatch the remote desktop (instead of the local computer).

By default, a computer filter will apply if any of the computers or IP Addresses in the list match the computeror client. If you have specifiedmultiple entries, and want to apply the workstyle only if ALL entries in thecomputer filter match, then check the optionAll items below should match.

If a computer filter is added, but no host names or IP addresses are specified, a warning will be displayed advisingNo rules added, and the computer filter will be ignored.

Time Range FiltersA time range filter can specify the hours of a day, and days of week that a workstyle will be applied.

To restrict a workstyle to a specific date / time period of activity:1. Select the Filters tab and click Add a new filter.2. Click onAdd a Time Filter > Edit time restrictions. The TimeRestrictions dialog box appears.3. Select 'Active' and 'Inactive' times in the time grid by either selecting individual elements or dragging over

areas with the left mouse button held down.4. Click OK.

Only one time filter can be added to a workstyle.

The time filter is applied based on the user’s timezone by default. Clear theUse timezone of user for timerestrictions (otherwise use UTC) check box to use UTC for the timezone.

Expiry FilterAn expiry filter specifies an expiry date / time for a workstyle.

To restrict a workstyle to an expiry date and time:1. Select the Filters tab and click Add a new filter.2. Click onAdd an Expiry Filter.3. Set the date and time that you want the workstyle to expire.

Only one expiry filter can be added to a workstyle.


The expiry time is applied based on the user’s timezone by default. Clear theUse timezone of user for workstyleexpiry (otherwise use UTC) check box to use UTC for the timezone.

WMI (Windows Management information) FiltersAWMI filter specifies if a workstyle should be applied, based on the outcome of aWMI query.

The filter allows you to specify the following:

l Description – Free text to describe theWMI query.l Namespace – Set the namespace that the query will execute against. By default, this is root\CIMV2.l Query – TheWMI Query Language (WQL) statement to execute.l Timeout – The time (in seconds) the client will wait for a response before terminating the query. By default,no timeout is specified.

Long runningWMI queries will result in delayed application launches. Therefore it is recommended that atimeout is specified to ensure that queries are terminated in a timely manner.

When aWMI query is executed, the client will check if any rows of data are returned. If any data is returned, thentheWMI query will be successful. If no data is returned or an error is detected in the execution, theWMI query willbe unsuccessful.

It is possible for many rows of data to be returned from aWMI query, in which case you can createmore complexWQL statements usingWHERE clauses. Themore clauses you add to your statement, the fewer rows are likely toreturn, and themore specific yourWMI query will be.

TheWMI filter includes several default templates for commonWMI queries. To add a new WMI query from atemplate, click Add a WMI template and use the instant search box to quickly find a template.

WQL statements can include parameterized values which allow you to execute queries including select user,computer and Defendpoint properties. To use parameters, seeWindows Workstyle Parameters detailed onpage 150.

WMI queries are always run as SYSTEM, and cannot be executed against remote computers or networkresources. WMI filters do not support impersonation levels, and can only be used with SELECT queries.

By default, aWMI filter will apply if any of theWMI queries in the list return true. If you have specifiedmultipleWMIqueries, and want to apply the workstyle only if ALL queries return true, then check the optionAll items belowshould match.

If aWMI filter is added, but noWMI queries are specified, a warning will be displayed advisingNo queries addedand theWMI filter will be ignored.

5.3 - Application GroupsApplication groups are used to define logical groupings of applications.

Application groups are assigned to workstyles, so youmust define application groups for all of the applications youwant to assign to a workstyle.


5.3.1 - Creating Application GroupsTo create a application group:

1. Navigate to Defendpoint Settings > Windows > Application Groups.2. Right-click and click New Application Group. This creates an Application Group with the default name

'Application Group x' wherexincrements numerically.

3. Right-click on the new Application Group and click Rename. Enter the new name you want and pressReturn to save your new Application Group.

5.3.2 - Viewing or Editing the Properties of an Application GroupEach application group has a name, an optional description and can be hidden from the policy navigation tree. Youcan edit these in the properties for the application group.

To view the properties of an application group:1. Navigate to Defendpoint Settings > Windows > Application Groups.2. Right-click and select Properties to view the properties. Enter or change the description and click OK to

save the new properties.

You can also choose to hide your application group in this menu by selecting the Hidden check box. SeeShowHidden Groups detailed on page 21 for more information.

5.3.3 - Deleting an Application GroupApplication groups are usually mapped to one or more application rule in a workstyle. If you attempt to delete anapplication rule that is mapped to an application group you are notified of this before you continue. If you continue todelete the application group, the associated application rule in the workstyle is also deleted.

To delete an application group:1. Navigate to Defendpoint Settings > Windows > Application Groups.2. Right-click on the Application Group you want to delete and click Delete.3. If there aren't any application rules in the workstyle using that application group then it is deleted. If there are

application rules in the workstyle that are referencing that application group then you are prompted to checkthe reference before you continue. If you click Resolve All then both the application group and theapplication rule that references it are deleted from your policy. If you don't want to do this, click Cancel.

5.3.4 - Duplicating an Application GroupYou can duplicate a application group if you need a new application group that contains the same applications as anexisting application group. You can edit a duplicated application group independently of the application group it wasduplicated from.

To duplicate an Application Group:

1. Navigate to Defendpoint Settings > Windows > Application Groups.2. Right-click on the Application Group you want to duplicate and click Copy.3. Select the Application Groups node, right-click and select Paste. This will make a new copy of the

application group and all the application rules it contained.

A new duplicate Application Group with an incremental number in brackets appended to the namewill be createdthat you can add applications to.


5.3.5 - Rule PrecedenceIf you addmore than one application rule or content rule to a workstyle then entries that are higher in the list willhave a higher precedence. Once a target matches a rule, no further rules or workstyles will be processed for thattarget. If a target couldmatchmore than one workstyle or rule then it is important that you order both yourworkstyles and rules correctly.

To change the precedence of a rule within a workstyle:1. Expand the relevant workstyle and then select the rule type tab: Application, On-Demand, or Content.2. Right click on the rule and use the following options to change the rule precedence:Move Top,Move Up,

Move Down, andMove Bottom.

5.3.6 - Application DefinitionsThe Defendpoint Client must match every definition you configure before it will trigger amatch (the rules arecombined with a logical AND).

Application definitions that require amatch can also be negated. To target applications that do not match thedefinition, select does NOT match from the drop-down.

ActiveX Codebase matchesWhen inserting ActiveX controls this is enabled by default and it is recommended that you should use this option inmost circumstances. Youmust enter the URL to the codebase for the ActiveX control. You can choose tomatchbased on the following options (wildcard characters ? and * may be used):

l Exact Matchl Starts Withl Ends Withl Containsl Regular Expressions

Although you can enter a relative codebase name, it is strongly recommended that you enter the full URL to thecodebase, as it is more secure.

ActiveX Version matchesIf the ActiveX control you entered has a version property then you can choose Check Min Version and/or CheckMax Version and edit the respective version number fields.

App ID matchesThis option allows you tomatch the App ID of the COM class, which is a GUID used by Windows to set propertiesfor a CLSID. AppIds can be used by 1 or more CLSIDs.

The available operators are identical to the File or Folder Name definition.

Application Requires Elevation (UAC)This option can be used to check if an executable requires elevated rights to run and would cause UAC (UserAccount Control) to be triggered. This is a useful way to replace inappropriate UAC prompts with Defendpoint enduser messages to either block or prompt the user for elevation.


Application Requires Elevation (UAC) (Supported on 'Install' only)This option can be used to check if anMSI requires elevated rights to run and would cause UAC (User AccountControl) to be triggered.

Any UninstallerThis option allows you tomatch on any uninstaller type (msi or exe).

Avecto Zone Identifier existsThis options allows you tomatch on the Avecto Zone Identifier tag, where present. If an ADS (Alternate DataStream) tag is applied by the browser, we also apply an Avecto Zone Identifier tag to the file. The Avecto ZoneIdentifier tag can be used as matching criteria if required.

CLSID matchesThis option allows you tomatch the class ID of the ActiveX control or COM class, which is a uniqueGUID storedin the registry.

COM Display Name matchesIf the class you entered has a Display Name then it will automatically be extracted and you can choose tomatch onthis property. By default a substringmatch is attempted (Contains). Alternatively, youmay choose to patternmatch based on either a wildcardmatch (? and *) or a Regular Expression. The available operators are identical toFile or Folder Name definition.

Command Line matchesIf the filename is not specific enough you canmatch the command line, by checking this option and entering thecommand line tomatch. By default a substringmatch is attempted (Contains). Alternatively, youmay choose topatternmatch based on either a wildcardmatch (? and *) or a Regular Expression. The available operators areidentical to File or Folder Name definition.

PowerShell removes double quotes from command strings prior to them being transmitted to the target. Therefore itis not recommended that Command Line definitions include double quotes, as they will fail to match the command.

Controlling Process matchesThis option allows you to target content based on the process (application) that will be used to open the content file.The applicationmust have been added to an application group. You can also define whether any parent of theapplication will match the definition.

Drive matchesThis option can be used to check the type of disk drive that where the file is located. Choose from one of thefollowing options:

l Fixed disk – Any drive that is identified as being an internal hard disk.l Network – Any drive that is identified as a network share.l RAM disk – Any drive that is identified as a RAM drive.l Any Removable Drive or Media – If you want to target any removable drive or media, but are unsure of thespecific drive type, choose this option which will match any of the removablemedia types below.Alternatively, if you want to target a specific type, choose from one of the following removablemedia types:

l RemovableMedia – Any drive that is identified as removablemedia.l USB – Any drive that is identified as a disk connected via USB.


l CD/DVD – Any drive that is identified as a CD or DVD drive.l eSATA Drive – Any drive that is identified as a disk connected via eSATA.

File or Folder Name matchesApplications are validated by matching the file or folder name. You can choose tomatch based on the followingoptions (wildcard characters ? and * may be used):

l Exact Matchl Starts Withl Ends Withl Containsl Regular Expressions. SeeRegular Expressions Syntax detailed on page 148 for more information.

Although you can enter relative filenames, it is strongly recommended that you enter the full path to a file or theCOM server. Environment variables are also supported.

It is not recommended that the definition File or Folder Name does NOTMatch is used in isolation for executabletypes, as it will result in matching every application, including hosted types such as Installer packages, scripts,batch files, registry files, management consoles and Control Panel applets.

When creating blocking rules for applications or content, and the File or Folder Name is used as matching criteriaagainst paths which exist on network shares, this should be done using the UNC network path and not by themapped drive letter.

File Hash (SHA-1 Fingerprint) matchesIf a reference file was entered, then an SHA-1 hash of the PowerShell script will be generated. This definitionensures that the contents or the script file (which can normally be edited by any user) remain unchanged, aschanging a single character in the script will cause the SHA-1 Hash to change.

File Version matchesIf the file, service executable or COM server you entered has a File Version property then it will automatically beextracted and you can choose Check Min Version and/or Check Max Version and edit the respective versionnumber fields.

Parent Process matchesThis option can be used to check if an application’s parent process matches a specific application group. Youmustcreate an application group for this purpose or specify an existing application group in the Parent Process group.Settingmatch all parents in tree to True will traverse the complete parent/child hierarchy for the application, lookingfor any matching parent process, whereas setting this option to False will only check the application’s direct parentprocess.

Product Code matchesIf the file you entered has a Product Code then it will automatically be extracted and you can choose to check thiscode.

Product Description matchesIf the file you entered has a Product Description property then it will automatically be extracted and you can choosetomatch on this property. By default a substringmatch is attempted (Contains). Alternatively, youmay choose to


patternmatch based on either a wildcardmatch (? and *) or a Regular Expression. The available operators areidentical to the File or Folder Name definition.

Product Name matchesIf the file, COM server or service executable you entered has a Product Name property then it will automatically beextracted and you can choose tomatch on this property. By default a substringmatch is attempted (Contains).Alternatively, youmay choose to patternmatch based on either a wildcardmatch (? and *) or a Regular Expression.The available operators are identical to the File or Folder Name definition.

Product Version matchesIf the file or COM server or service executable you entered has a Product Version property then it will automaticallybe extracted and you can choose Check Min Version and/or Check Max Version and edit the respective versionnumber fields.

Publisher matchesThis option can be used to check for the existence of a valid publisher. If you have browsed for an application, thenthe certificate subject namewill automatically be retrieved, if the application has been signed. ForWindowssystem files theWindows security catalog is searched, and if a match is found then the certificate for the securitycatalog is retrieved. Publisher checks are supported on Executables, Control Panel Applets, Installer Packages,Windows Scripts and PowerShell Scripts. By default a substringmatch is attempted (Contains). Alternatively, youmay choose to patternmatch based on either a wildcardmatch (? and *) or a Regular Expression. The availableoperators are identical to the File or Folder Name definition.

Service Actions matchThis option allows you to define the actions which are allowed. Choose from:

l Service Stop –Grants permission to stop the service.l Service Start – Grants permission to start the service.l Service Pause / Resume –Grants permission to pause and resume the service.l Service Configure –Grants permission to edit the properties of the service.

Service Display Name matchesThis option allows you tomatch the name of theWindows service, for example "W32Time". Youmay choose tomatch based on the following options (wildcard characters ? and * may be used):


Service Name matchesThis option allows you tomatch the name of theWindows service, for example "W32Time". Youmay choose tomatch based on the following options (wildcard characters ? and * may be used):

l Exact Matchl Starts Withl Ends With


l Containsl Regular Expressions

Source URL matchesIf an application was downloaded using a web browser, this option can be used to check where the application orinstaller was originally downloaded from. The application is tracked by Defendpoint at the point it is downloaded, sothat if a user decided to run the application or installer at a later date, the source URL can still be verified. By defaulta substringmatch is attempted (Contains). Alternatively, youmay choose to patternmatch based on either awildcardmatch (? and *) or a Regular Expression. The available operators are identical to the File or Folder Namedefinition.

Trusted Ownership matchesThis option can be used to check if an application’s file is owned by a trusted owner (the trusted owner accountsare SYSTEM, Administrators or Trusted Installer).

Upgrade Code matchesIf the file you entered has an Upgrade Code then it will automatically be extracted and you can choose to check thiscode.

Windows Store Application VersionThis option allows you tomatch the version of theWindows Store application, for example "16.4.4204.712". Youcan choose Check Min Version and/or Check Max Version and edit the respective version number fields.

Windows Store Package NameThis option allows you tomatch the name of theWindows Store application, for example"microsoft.microsoftskydrive". You can choose tomatch based on the following options (wildcard characters ? and* may be used):


Windows Store PublisherThis option allows you tomatch the publisher name of theWindows Store Application, for example "MicrosoftCorporation". By default a substringmatch is attempted (Contains). Alternatively, youmay choose to patternmatch based on either a wildcardmatch (? and *) or a Regular Expression. The other available operators are:


The Browse File and Browse Apps options can only be used if configuring Defendpoint Settings from aWindows 8client.


Advanced Optionsl Allow child processes will match this application definition detailed belowl Force standard user rights on File Open/Save common dialogs detailed below

Allow child processes will match this application definition

If this check box is selected then any child processes that are launched from this application (or its children) willalsomatch this rule. The rules are still processed in order, so it’s still possible for a child process tomatch a higherprecedence rule (or workstyle) first. Therefore, this option will prevent a child process frommatching a lowerprecedence rule. It should also be noted that if an application is launched via an on-demand rule and this option isselected, then its children will be processed against the on-demand rules, and not the application rules. If thisoption is not selected then the children will be processed against the application rules in the normal way. You canfurther refine this option by restricting the child processes to a specific application group. The default is to match<Any Application>, which will match any child process.

If you want to exclude specific processes frommatching this rule, then click ‘…match…’ to toggle the rule to‘…does not match…’.

Child processes are evaluated in the context that the parent was executed. For example, if the parent wasexecuted through on-demand shell elevation, then the Defendpoint Client will first attempt to match on-demand application rules for any children of the executed application.

Force standard user rights on File Open/Save common dialogs

If the application allows a user to open or save files using the commonWindows open/save dialog box thenselecting this option will ensure that the user does not have admin privileges within these dialog boxes. Thesedialog boxes have Explorer like features, and allow a user to rename, delete or overwrite files. If an application isrunning with elevated rights then the open/save dialog boxes would allow a user to replace protected system files.By default, Defendpoint will force these dialog boxes to run with the user’s standard rights, which will prevent theuser from tampering with protected system files.

5.3.7 - Inserting ActiveX ControlsUnlike other application types, Defendpoint only manages the privileges for the installation of ActiveX controls.ActiveX controls usually require administrative rights to install, but once installed they will run with the standardprivileges of the web browser.

1. Select the application group you want to add the ActiveX control to.2. Right-click and select Insert Application > ActiveX Control.3. Enter the Codebase (URL) if required. This is a full or partial URL that specifies the location of the ActiveX

control.4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the executable and then click Next. You can configure:

l ActiveX Codebase matches detailed on page 53l CLSID matches detailed on page 54l ActiveX Version matches detailed on page 53


6. You need to configure theAdvanced Options for the application. You can configure:l Allow child processes will match this application definition detailed on the previous pagel Force standard user rights on File Open/Save common dialogs detailed on the previous page

7. Click OK. The Active X Control is added to the application group.

5.3.8 - Inserting Batch Files1. Select the application group you want to add the application to.2. Right-click and select Insert Application > Batch File.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific

name or pathmanually, or click Browse File, Browse Folder or Template, see Inserting Applicationsfrom Templates detailed on page 70 for more information.

4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the executable. You can configure:

l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53l Parent Process matches detailed on page 55l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54

6. You need to configure theAdvanced Options for the application. You can configure:l Allow child processes will match this application definition detailed on the previous pagel Force standard user rights on File Open/Save common dialogs detailed on the previous page

7. Click OK. The application is added to the application group.

5.3.9 - Inserting COM ClassesCOM elevations are a form of elevation which are typically initiated from Explorer, when an integrated task requiresadministrator rights. Explorer uses COM to launch the task with admin rights, without having to elevate Explorer.Every COM class has a unique identifier, called a CLSID, that is used to launch the task.

COM tasks usually triggerWindows UAC prompt because they need administrative privileges to proceed.Defendpoint allows you to target specific COMCLSIDs and assign privileges to the task without granting fulladministration rights to the user. COM based UAC prompts can also be targeted and replaced with custommessaging, where COM classes can be whitelisted and/or audited.

1. Select the application group you want to add the COM Class to.2. Right-click and select Insert Application > COM Class.3. Enter a Class ID (CLSID) if required. Defendpoint will extract information from this for the criteria if required

or click Browse Class or Template, see Inserting Applications from Templates detailed on page 70 formore information.

4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the executable. COM classes are hosted by a COM server

DLL or EXE, so COM classes can be validated from properties of the hosting COM server. You can


configure:l File or Folder Name matches detailed on page 55l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Product Name matches detailed on page 56l Publisher matches detailed on page 56l CLSID matches detailed on page 54l App ID matches detailed on page 53l COM Display Name matches detailed on page 54l Product Description matches detailed on page 55l Product Version matches detailed on page 56l File Version matches detailed on page 55l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53Match if Application Requires Elevation (User Account Control) is always enabled, as COM classesrequire UAC to elevate

l Source URL matches detailed on page 57

6. You need to configure theAdvanced Options for the application. You can configure:l Allow child processes will match this application definition detailed on page 58l Force standard user rights on File Open/Save common dialogs detailed on page 58


5.3.10 - Inserting Control Panel Applets1. Select the application group you want to add the application to.2. Right-click and select Insert Application > Control Panel Applet.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific


4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the control panel applet. You can configure:

l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Product Name matches detailed on page 56l Publisher matches detailed on page 56l Product Description matches detailed on page 55l Product Version matches detailed on page 56l File Version matches detailed on page 55l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53l Parent Process matches detailed on page 55


l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54


7. Click OK. The Application is added to the application group.

5.3.11 - Inserting Executables1. Select the application group you want to add the application to.2. Right-click and select Insert Application > Executable.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific



l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Product Name matches detailed on page 56l Publisher matches detailed on page 56l Product Description matches detailed on page 55l Product Version matches detailed on page 56l File Version matches detailed on page 55l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53l Parent Process matches detailed on page 55l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54



5.3.12 - Inserting Installer PackagesDefendpoint allows standard users to install and uninstall Windows Installer packages that would normally requirelocal admin rights. Defendpoint supports the following package types:

l Microsoft Software Installers (MSI)l Microsoft Software Updates (MSU)l Microsoft Software Patches (MSP)


When aWindows Installer package is added to an application group, and assigned to an application rule or on-demand application rule, the action will be applied to both the installation of the file, and also uninstallation viaAdd/Remove Programs, orPrograms and Features.

By default, elevation of software uninstalls is disabled in the Defendpoint Client. When this feature isenabled, then the ‘Repair’ option is not available for any installed software package that matches aworkstyle. If you want to grant uninstall privileges to users, and do not require the use of the ‘Repair’ option,you can enableMSI Uninstall support by adding the following registry entry: HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client\ DWORD “MsiUninstallFeatureEnabled” = 1

The publisher property of anMSx file may sometimes differ to the publisher property once installed inPrograms and Features. It is therefore recommended that applications targeted using theMatch Publishervalidation rule are tested for both installation and uninstallation, prior to deployment, using the DefendpointActivity Viewer.

Installer packages typically create child processes as part of the overall installation process. Therefore it isrecommended that when elevatingMSI, MSU orMSP packages, that the advanced optionAllow child processeswill match this application definition is enabled.

If you want to apply more granular control over Installer packages and their child processes, use the ChildProcess validation rule to whitelist or blacklist those processes that will / will not inherit privileges from theparent software installation.

1. Select the application group you want to add the Installer Package to.2. Right-click and select Insert Application > Installer Package.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific


4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the installer package. You can configure:

l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Product Name matches detailed on page 56l Publisher matches detailed on page 56l Product Version matches detailed on page 56l Product Code matches detailed on page 55l Upgrade Code matches detailed on page 57l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53l Parent Process matches detailed on page 55l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54




5.3.13 - Inserting Management Console Snap-ins1. Select the application group you want to add the application to.2. Right-click and select Insert Application > Executable.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific


4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for themanagement console snap-ins. You can configure:

l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Publisher matches detailed on page 56l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53l Parent Process matches detailed on page 55l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54



5.3.14 - Inserting PowerShell ScriptsDefendpoint allows you to target specific PowerShell scripts and assign privileges to the script without grantinglocal administration rights to the user. Scripts can also be blocked if they are not authorized or whitelisted.

1. Select the application group you want to add the PowerShell script to.2. Right-click and select Insert Application > PowerShell Script.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific


4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the PowerShell script. You can configure:

l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Publisher matches detailed on page 56


l Trusted Ownership matches detailed on page 57l Parent Process matches detailed on page 55l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54



PowerShell scripts that contain only a single line are interpreted andmatched as a PowerShell command,and will not match a PowerShell script definition. We recommend that PowerShell scripts contain at leasttwo lines of commands to ensure that they are correctly matched as a PowerShell script. This cannot beachieved by adding a comment to the script.

5.3.15 - Inserting Registry Settings1. Select the application group you want to add the application to.2. Right-click and select Insert Application > Registry Settings.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific


4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the application. You can configure:

l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53l Parent Process matches detailed on page 55l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54




5.3.16 - Inserting Remote PowerShell CommandsDefendpoint provides an additional level of granularity for management of remote PowerShell cmdlets to ensurethat you can execute these commands without needed local administrator privileges on the target computer.

Get-service -Name *time* | restart-Service –PassThru

Defendpoint allows you to target specific command strings and assign privileges to the commandwithout grantinglocal admin rights to the user. Commands can also be blocked if they are not authorized or whitelisted. All remotePowerShell commands are fully audited for visibility.

In order to allow standard users to connect to a remote computer viaWindows RemoteManagement, orWinRM (aprivilege normally reserved for local administrator accounts), it is necessary to enable the General ruleEnableWindows Remote Management Connections. This rule grants standard users whomatch the Defendpointworkstyle the ability to connect viaWinRM, and can be targeted to specific users, groups of users, or computersusing workstyle filters.

1. Select the application group you want to add the application to.2. Right-click and select Insert Application > Remote PowerShell Command.3. You can leave theSelect reference script file blank tomatch on all applications of this files, type in a

specific name or pathmanually, or click Browse Cmdlets.This lists the PowerShell cmdlets for the verisonof PowerShell that you have installed. If the cmdlet you want to use is not listed as the target version ofPowerShell is different you canmanually enter it..

4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the PowerShell command. You can configure:

l Command Line matches detailed on page 54PowerShell removes double quotes from theCommand Line before it is sent to the target. Command Line definitions that include double quotesare not matched by Defendpoint for remote PowerShell commands.


If you want to manage remote PowerShell scripts instead of a single cmdlet, see Inserting RemotePowerShell Scripts detailed on the next page for more information.

MessagingDefendpoint end user messaging includes limited support for remote PowerShell sessions; block messages can beassigned to workstyle rules which block remote PowerShell scripts and commands. If a block message isassigned to a workstyle which blocks a script or command, then the body message text of an assignedmessagewill be displayed in the remote console session as an error.


5.3.17 - Inserting Remote PowerShell ScriptsFrom within a remote PowerShell session, a script (.PS1) can be executed from a remote computer against a targetcomputer. Normally this would require local administrator privileges on the target computer, with little control overthe scripts that are executed, or the actions that the script performs. For example:

Invoke-Command -ComputerName RemoteServer -FilePath c:\script.ps1 –Credentialxxx

Defendpoint allows you to target specific PowerShell scripts remotely and assign privileges to the script withoutgranting local administration rights to the user. Scripts can also be blocked if they are not authorized or whitelisted.All remote PowerShell scripts executed are fully audited for visibility.

Youmust use the Invoke-Command cmdlet to tun remote PowerShell scripts. Defendpoint cannot targetPowerShell scripts that are executed from a remote PowerShell session. Remote PowerShell scripts mustbematched by either a SHA-1 File Hash, or a Publisher (if the script has been digitally signed).

Defendpoint allows you to elevate individual PowerShell scripts and commands which are executed from a remotemachine. This eliminates the need for users to be logged on with an account which has local admin rights on thetarget computer. Instead, elevated privileges are assigned to specific commands and scripts which are defined inapplication groups, and applied via a workstyle.

PowerShell scripts and commands can be whitelisted to block the use of unauthorized scripts, commands andcmdlets. Granular auditing of all remote PowerShell activity provides an accurate audit trail of remote activity.

PowerShell definitions for scripts and commands are treated as separate application types, which allows you todifferentiate between pre-defined scripts authorized by IT, and session based ad hoc commands.

In order to allow standard users to connect to a remote computer viaWindows RemoteManagement, orWinRM (aprivilege normally reserved for local administrator accounts), it is necessary to enable the General ruleEnableWindows Remote Management Connections. This rule grants standard users whomatch the Defendpointworkstyle the ability to connect viaWinRM, and can be targeted to specific users, groups of users, or computersusing workstyle filters.

1. Select the application group you want to add the Remote PowerShell script to.2. Right-click and select Insert Application > Remote PowerShell Script.3. You can leave theSelect reference script file blank tomatch on all applications of this files, type in a

specific name or pathmanually, or click Browse File.4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the PowerShell script. You can configure:

l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Publisher matches detailed on page 56



Remote PowerShell scripts that contain only a single line will be interpreted andmatched as a RemotePowerShell Command, and will fail to match a PowerShell script definition. It is therefore recommended thatPowerShell scripts contain at least two lines of commands to ensure they are correctly matched as a script.This cannot be achieved by adding a comment to the script.

MessagingDefendpoint end user messaging includes limited support for remote PowerShell sessions; block messages can beassigned to workstyle rules which block remote PowerShell scripts and commands. If a block message isassigned to a workstyle which blocks a script or command, then the body message text of an assignedmessagewill be displayed in the remote console session as an error.

5.3.18 - Inserting Uninstaller (msi or exe)Defendpoint allows standard users to uninstall Microsoft Software Installers (MSIs) and Executables (EXEs) thatwould normally require local admin rights.

When theAny Uninstaller application type is added to an application group and assigned to an application rule inthe Defendpoint policy, the end user can uninstall applications usingPrograms and Features or, inWindows 10,Apps and Features.

TheUninstaller Application Type allows you to uninstall any EXE or MSI when it is associated with an ApplicationRule. As the process of uninstalling a file requires admin rights you need to ensure that when you target theApplication Group in the Application Rules you set the Access Token to 'Add Admin Rights'.

The Uninstaller typemust be associated with an Application Rule. It does not apply to On-DemandApplication Rules.

You cannot use the 'Uninstaller' Application Type to uninstall the Avecto Defendpoint Client or the Avecto iC3Adapter using Defendpoint irrespective of your user rights. Defendpoint's anti-tampermechanism prevents usersfrom uninstalling Defendpoint, and the uninstall will fail with an error message.

If you want to allow users to uninstall either the Avecto Defendpoint Client or the Avecto iC3 Adapter you can dothis by either:

l Logging in as a full administratorl Elevating thePrograms and Features control panel (or other controlling application) using a 'Custom'Access Token that has anti-tamper disabled, seeAnti-Tamper Protection detailed on page 88 for moreinformation.

1. Select the application group you want to add the Uninstaller to.2. Right-click and select Insert Application > Uninstaller.3. Enter a description if required. By default this is the name of the application you're inserting.4. The Any Uninstaller matching criteria is selected by default. This cannot be changed.

l Any Uninstaller detailed on page 54

5. The advanced options are selected by default for the Uninstaller application type. This cannot be changed.6. Click OK. The application is added to the application group.


5.3.19 - Inserting Windows ServicesTheWindows service type allows individual service operations to be whitelisted, so that standard users are able tostart, stop and configure services without the need to elevate tools such as the Service Control Manager.

1. Select the application group you want to add the application to.2. Right-click and select Insert Application >Window Service.3. You can leave theService Name blank tomatch on all applications of this type, type in a specific name or

pathmanually, or click Browse Services to browse the services on the local computer.4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure thematching criteria for the windows services. You can configure:

l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Product Name matches detailed on page 56l Publisher matches detailed on page 56l Product Description matches detailed on page 55l Product Version matches detailed on page 56l File Version matches detailed on page 55l Service Name matches detailed on page 56l Service Display Name matches detailed on page 56l Service Actions match detailed on page 56



5.3.20 - Inserting Windows Store ApplicationsTheWindows Store application type allows the installation and execution of Windows Store applications onWindows 8 and later to be whitelisted, so that users are prevented from installing or using unknown/unauthorizedapplications within theWindows Store.

1. Select the application group you want to add the application to.2. Right-click and select Insert Application >Window Store Application.3. You can leave the File or Folder Name blank tomatch on all applications of this type, type in a specific


4. Enter a description if required. By default this is the name of the application you're inserting.5. You need to configure theAdvanced Options for the application. You can configure:

l Allow child processes will match this application definition detailed on page 58l Force standard user rights on File Open/Save common dialogs detailed on page 58



5.3.21 - Inserting Window Scripts1. Select the application group you want to add the application to.2. Right-click and select Insert Application >Window Script.3. You can leave the File or Folder Name blank tomatch on all applications of this files, type in a specific

name or pathmanually, or click Browse File, Browse Folder or Template, see Inserting Applicationsfrom Templates detailed on the next page for more information.


l File or Folder Name matches detailed on page 55l Command Line matches detailed on page 54l Drive matches detailed on page 54l File Hash (SHA-1 Fingerprint) matches detailed on page 55l Publisher matches detailed on page 56l Trusted Ownership matches detailed on page 57l Application Requires Elevation (UAC) detailed on page 53l Parent Process matches detailed on page 55l Source URL matches detailed on page 57l Avecto Zone Identifier exists detailed on page 54




5.3.22 - Inserting Applications from TemplatesApplication templates provide a simple way to pick from a list of known applications. A standard set of templatesare provided that cover basic administrative tasks for all supported operating systems, common ActiveX controls,software updaters and Avecto utilities.

There are two ways you can insert applications into Application Groups. If you want to insert multiple applicationsfrom the Avecto templates you need to add the applications from the templatemenu, seeUse the Add Apps toTemplate Menu detailed below for more information.

If you use the Template functionality once you have selected your application type the list from Avecto is filtered tojust those applications and you can only add one at a time, seeUse the Template Option in Matching Criteriadetailed below for more information.

Use the Add Apps to Template Menu1. Select the application group you want to add the application to.2. Right-click and select Insert Applications > Application Templates. Choose one or more applications to

add to the application group. You can select multiple rows using standardWindows functionality.3. Click Save to add the applications or click Finish to exit without adding any applications.

Use the Template Option in Matching Criteria1. Select the application group you want to add the application to.2. Right-click and select Insert Applications > Application Templates.3. Click Template next to the Description and choose the application you selected to add to the application

group.4. Select the applications you want to add to the application group. Each application will be highlighted once

selected. Use the filter options Filter Text or Type, at the top of the page to refine the number ofapplications displayed.

5. Select Save.

You can click on an application description tomodify the settings of the application definition(s) and/or theAdvancedOptions.

5.3.23 - Inserting Applications from Running ProcessesYou can insert an application from a running process.

1. To insert an application from a running process:2. Select the relevant application group.3. Right-click the applications list in the details pane to access the context menu.4. Select Insert Application and then select theRunning Process from the sub-menu.5. TheRunning Process dialog box appears.6. Select Show processes from all users if you want to select a process from another user’s session.7. Select the relevant process from the list. Click OK.

5.3.24 - Inserting Applications from EventsThe Event Import wizard allows you to search from within any Defendpoint event source, and create applicationdefinitions based on the properties collected by an audit event. The wizard provides a simple and convenient wayto find specific applications based on any or all of the following search criteria:


l Event Source –Where the event has been collected (Local or remote Eventlog, Forwarded Eventlog, orEnterprise reporting Pack database).

l Event Type – The type of event you are interested in. Choose either: Any application, or choose from one ofthe following:

l Applications that performed privileged operationsl Applications that triggered UACl Applications that were blockedl Applications that were launched via the Shell Menu

l Timeframe –The period of time to search for applications. Choose from one of the following:l From – Pick a range starting from a predefined time period. From here you can also chooseAnytime,to include all events.

l Specific period – Pick an optional From and To date to include events collected during that period oftime.

Once the search criteria has been entered, the wizard will return a list of unique applications that were audited,matching the criteria you specified. From here you can browse the list (which is grouped by Publisher), or to find aparticular application you can type into the Search publisher \ Description field to instantly filter the list based on thetext you enter.

Applications that are already members of the application group will be highlighted and displayed with aü.

Once you have found an application or applications, select (or multi-select by holding down theControl orShiftkey while selecting) and then click OK to create new application definitions from your selection.

Once the definitions have been created, you can edit the definition andmodify thematching criteria. All matchingcriteria will be pre-populated with values collected from the application.

A unique application is based on the product description of the application. So if two or more auditedapplications share the same product description, they will be displayed as a single application.

5.4 - Content GroupsContent control allows you to control the accessibility of privileged content. Content groups provide ameans oftargeting specific types of content, based on file/folder, drive, or controlling process. Rules determining thebehavior for that content are applied to each content group in a workstyle.

There are twomain use cases for applying content control:

To allow standard users to modify privileged content, without having to assign admin rights to either theuser, or the application used to modify the content.

l Content groups can be added to content rules where the content can be assigned admin rights. When this isdone, any user who receives the workstyle canmodify matching content without requiring an administratoraccount.

To block access to content or directories.l Content groups can be added to content rules where the ability to open the content can be controlled with aBlock action. When this is done, any user who would normally be able to open and read the content wouldbe blocked from opening the content.


The following sections explain how to create content groups including content definitions, and how to assigngroups to content rules to apply the specific content control rules that meet your requirements.

5.4.1 - Creating Content GroupsTo create a content group:

1. Navigate to Defendpoint Settings > Windows > Content Groups.2. Right-click and click New Content Group. This creates an Content Group with the default name 'Content

Group x' wherexincrements numerically.

3. Right-click on the new Content Group and click Rename. Enter the new name you want and press Returnto save your new Content Group.

5.4.2 - Duplicating Content GroupsYou can duplicate a content group if you need a new content group that contains the same content as an existingcontent group. You can edit a duplicated content group independently of the content group it was duplicated from.

To duplicate a Content Group:

1. Navigate to Defendpoint Settings > Windows > Content Groups.2. Right-click on the Content Group you want to duplicate and click Copy.3. Select the Content Groups node, right-click and select Paste. This will make a new copy of the Content

Group and all the Content rules it contained.

A new duplicate Content Group with an incremental number in brackets appended to the namewill be created thatyou can add content to.

5.4.3 - Target Content DefinitionsTheContent dialog box provides various Content Definitions. The Defendpoint Client must match everydefinition you configure before it will trigger amatch (the rules are combined with a logical AND). The followingdefinitions are available:

File or Folder NameApplications are validated by matching the file or folder name. You can choose tomatch based on the followingoptions (wildcard characters ? and * may be used):

l Exact Matchl Starts Withl Ends Withl Containsl Regular Expressions. SeeRegular Expressions Syntax detailed on page 148 for more information.

Although you can enter relative filenames, it is strongly recommended that you enter the full path to a file or theCOM server. Environment variables are also supported.

It is not recommended that the definition File or Folder Name does NOTMatch is used in isolation for executabletypes, as it will result in matching every application, including hosted types such as Installer packages, scripts,batch files, registry files, management consoles and Control Panel applets.


When creating blocking rules for applications or content, and the File or Folder Name is used as matching criteriaagainst paths which exist on network shares, this should be done using the UNC network path and not by themapped drive letter.

DriveThis option can be used to check the type of disk drive that where the file is located. Choose from one of thefollowing options:

l Fixed disk – Any drive that is identified as being an internal hard disk.l Network – Any drive that is identified as a network share.l RAM disk – Any drive that is identified as a RAM drive.l Any Removable Drive or Media – If you want to target any removable drive or media, but are unsure of thespecific drive type, choose this option which will match any of the removablemedia types below.Alternatively, if you want to target a specific type, choose from one of the following removablemedia types:

l RemovableMedia – Any drive that is identified as removablemedia.l USB – Any drive that is identified as a disk connected via USB.l CD/DVD – Any drive that is identified as a CD or DVD drive.l eSATA Drive – Any drive that is identified as a disk connected via eSATA.

Controlling ProcessThis option allows you to target content based on the process (application) that will be used to open the content file.The applicationmust have been added to an application group. You can also define whether any parent of theapplication will match the definition.

5.4.4 - Inserting ContentTo insert a content rule:

1. Select the content group you want to add the content control to.2. Right-click and select Insert Content.3. Enter a description if required.4. You need to configure thematching criteria for the executable and then click Next. You can configure:

l File or Folder Name detailed on the previous pagel Drive detailed abovel Controlling Process detailed above

5. Click Finish. The Content is added to the content group.

5.5 - MessagesYou can define any number of end user messages and notifications. Messages and notifications are displayedwhen a user’s action triggers a rule (application / on-demand or content rule). Rules can be triggered by anapplication launch or block or when content is modified.

Messages provide an effective way of alerting the user before an action is performed. For example, beforeelevating an application or allowing content to bemodified, or advising that an application launch or contentmodification has been blocked.


Messages give the user information about the application or content, the action taken, and can be used to requestinformation from the user. Messages also allow authorization and authentication controls to be enforced beforeaccess to an application is granted.

Messages are customizable with visual styles, corporate branding and display text, so you are offered a familiarand contextual experience. Messages are assigned to application rules. A message will display different propertiesdepending on which of these targets it is assigned to. To view the differences aPreview option allows you to togglebetween theApplication Preview and theContent Preview. This is available from thePreview drop-downmenulocated in the top-right corner of the details pane.

Once defined, amessagemay be assigned to an individual rule in theWorkstyles Rules tab by editing the rule.Depending on the type of workstyle you’ve created, Defendpoint may auto-generate certain messages for you touse.

5.5.1 - Types of MessagesYou can choose fromMessages or Notifications. Messages take focus when they're displayed to the user.Message notifications appear on the user's task bar.

Message notification text is fully customizable, so that users are given concise and relevant information about theaction performed. You can edit the strings in theMessage Text detailed on page 84 tab.

Message notifications are displayed either as a systray bubble (Windows 7), or as atoastnotification (Windows 8 and higher).

Message notifications are not supported for SYSTEM processes.

5.5.2 - Creating MessagesYou can create two types of messages:

l Message or Notification detailed belowl ActiveX Message detailed on page 76

Message or NotificationTo create a message or notification:

1. Navigate to Defendpoint Settings > Windows > Messages.2. Right-click and click New Message.


3. Select amessage template from either theUse a Message Box template orUse a Notification (balloon)drop-downmenus and click Next.

Messages can be interactive (the user may be asked to input information before an action occurs).Notifications are descriptive (displaying information about an action that has occurred).

4. Customize themessage (more advancedmessage configuration can be performed after themessage hasbeen created).

5. Click Finish.

A new message will be created. You can further refine themessage by selecting it and editing theDesign and theText options available beneath eachmessage.


ActiveX MessageWhenDefendpoint is configured to elevate the installation of an ActiveX control, a built-in progress dialog box ofthe installation process appears. You can create and configure this message in theMessages node.

1. Navigate to Defendpoint Settings > Windows > Messages.2. Right-click and click Manage ActiveX Message text.

l Title – The title text of the progress dialog box.l Download Message – The text displayed during the download phase.l Install Message – The text displayed during the installation phase.

The display text can be configured for multiple languages. Defendpoint will detect the regional language of the enduser, and if ActiveX strings in that language have been configured, the correct translation will be displayed.

If language settings for the region of the end user have not been configured, then the default language textwill be displayed. To change the default language, select the desired language and click Set Default.

5.5.3 - Setting ActiveX Message TextWhenDefendpoint is configured to elevate the installation of an ActiveX control, a built-in progress dialog box ofthe installation process appears. You can create and configure this message in theMessages node.

1. Right-click on theMessages node and selectManage ActiveX Message text.l Title – The title text of the progress dialog box.l Download Message – The text displayed during the download phase.l Install Message – The text displayed during the installation phase.l Cancel Button – The text displayed for the button that cancels the ActiveX installation.

The display text can be configured for multiple languages. Defendpoint will detect the regional language of the enduser, and if ActiveX strings in that language have been configured, the correct translation will be displayed.

If language settings for the region of the end user have not been configured, then the default language textwill be displayed. To change the default language, select the desired language and click Set Default.

5.5.4 - Message Name and DescriptionYou may edit a message name or description by clicking on either element:

1. Select theMessage (in either the left or right-hand pane).2. Select theMessage Design detailed below orMessage Text detailed on page 84 tab tomake further

changes to your message.

5.5.5 - Message DesignMessages have a wide array of configuration options, which are detailed below.

As you change the various message options the preview message will automatically be updated. To test themessage box, use the preview facility (program and content information will contain appropriate placeholders).

Once you have configured themessage options you should configure theMessage Text for themessage, whichincludes full multi-lingual support.


l Miscellaneous Settings detailed belowl Message Header Settings detailed belowl Message Body Settings detailed on the next pagel User Reason Settings detailed on the next pagel User Authorization detailed on page 79l Challenge / Response Authorization detailed on page 80l Authorization Settings detailed on page 80l Email Settings detailed on page 81

Miscellaneous Settingsl Show message on secure desktop – Select this option to show themessage on the secure desktop. Thisis recommended if themessage is being used to confirm the elevation of a process, for enhanced security.

Message Header Settingsl Header Style – Select the type of header, which can be No header, Defendpoint, Warning, Question orError.

l Show Title Text – Determines whether to show the title text.l Text Color – Select the color for the title text (the automatic color is based on theHeader Style).l Background Type – Set the background of the header, which can be Solid background, Gradientbackground or Custom image. (The default Background Type is Custom Imagemaking theColor 1 andColor 2 options initially unavailable).

l Color 1 – Select the color for aSolid background or the first color for aGradient background (theautomatic color is based on theHeader Style).

l Color 2 – Select the second color for aGradient background (the automatic color is based on the selectedHeader Style).

l Custom Image – Select the image for aCustom image background. This option is only enabled if youhave selectedCustom Image for theBackground Type. Click the “…” button to import, export, modify ordelete images using the Image Manager.

Image Manager

The ImageManager associated with message creation allows you toAdd,Modify, Export andDelete images thatare referenced inmessage headers. All images are stored inside the workstyles as compressed and encodedimages.

It is recommended that you delete any unused images tominimize the size of the policies, as Defendpoint does notautomatically delete unreferenced images.

The Image Manager is accessible from theMessage Design tab. Click theManage Images button next to theCustom Image drop-downmenu.

To upload an image:1. Click Upload Image. The Import Image status dialog box appears. Click Choose file and browse to the

location of the file.2. Select the image and enter an Image Description. Click OK.3. The image will be uploaded into ImageManager.

Images must be *.png format and be sized between 450x50


To edit an image:1. In theCustom Image field selectManage Images.2. Select the image in the list and click Edit.3. The Image Properties dialog box appears.4. Alter the description and click OK.

To delete an image:1. Select the image in the list and click Delete.2. When prompted, click Yes to delete the image.

If an image is referenced by any messages then you will not be allowed to delete it.

Message Body SettingsTheMessage Body Settings display specific information about the program or content. . These can be configuredon theMessage Text tab; they can display Automatic default values orCustom values. TheAutomatic defaultvalues are:

l Show Line One – TheProgram Name or theContent Name .l Show Line Two – TheProgram Publisher or theContent Owner.l Show Line Three – TheProgram Path or theContent Program.

Custom values are configured on theMessage Text tab.

l Show reference Hyperlink – This option determines whether to show a hyperlink in themessage below thebody settings (the hyperlink is configured on theMessage Text tab).

User Reason SettingsThis option determines whether to prompt the end user to enter a reason before an application launches (AllowExecutionmessage type) or to request a blocked application (Block Executionmessage type).

l Show User Reason Prompt – Select between Text box andDrop-downmenu. The Text Box allowsusers to write a reason or request. TheDrop-down allows users to select a pre-defined reason or requestfrom a drop-downmenu. The pre-defined drop-down entries can be configured on theMessage Text tab.

l Remember User Reasons (per-application) – Reasons are stored per-user in the registry.


User Authorizationl Authorization Type – Set this option toUser must authorize to force the user to re-authenticate beforeproceeding. If you want to use this option for over the shoulder administration, then set this option toDesignated user must authorize.

l Authentication Method – Set this option toAny to allow authentication using any method available to theuser. If you want to enforce a specific authenticationmethod, then set to eitherPassword only orSmartcard only.

If you select amethod that is not available to the user, then the user will be unable to authorize themessage.

l Designated Users – If theAuthorization Type has been set toDesignated user must authorize thenclick the “…” button to add onemore user accounts or groups of users that will be allowed to authorize themessage.

l Run application as Authorizing User – If theAuthorization Type has been set toDesignated usermust authorize then this option determines whether the application runs in the context of the logged onuser or in the context of the authorizing user. The default is to run in the context of the logged on user asopposed to the authorizing user.

WhenRun application as Authorizing User is set toYes, then Defendpoint will attempt to match aworkstyle of the same type (application rule or on-demand rule) for the authorizing user. If no workstyle ismatched, then Defendpoint will fall back to the original user workstyle.

Designated User Must Authorize

When this option is enabled a designated user such as a system administrator can authorize the elevation in placeof (or in addition to) a Challenge Response code.

Input OutcomeValid Challenge / Response code only isprovided

Application runs as logged on user

Valid Challenge / Response code is providedand valid (but not required) credentials areprovided


Invalid Challenge / Response code is providedbut valid credentials are provided

Application runs as authorizing user

No Challenge / Response code is provided butvalid credentials are provided



Challenge / Response Authorizationl Enabled – Set this option toYes to present the user with a challenge code. In order for the user to proceed,they must enter amatching response code. Note that when this option is enabled for the first time, you willbe requested to enter a shared key. For more information, seeChallenge / Response Authorizationdetailed on the next page. You can click Edit Key to change the shared key for this message.

l Authorization Period (per-application) – Set this option to determine the length of time a successfullyreturned challenge code is active for. Choose from:

l One use Only – A new challenge code is presented to the user on every attempt to run theapplication.

l Entire Session – A new challenge code is presented to the user on the first attempt to run theapplication. After a valid response code has been entered, the user will not be presented with a newchallenge code for subsequent uses of that application until they next log on.

l Forever – A new challenge code is presented to the user on the first attempt to run the application.After a valid response code has been entered, the user will not be presented with a new challengecode again.

l As defined by helpdesk – A new challenge code is presented to the user on the first attempt to runthe application. If this option is selected them the responsibility of selecting the authorization periodwill be delegated to the helpdesk user at the time of generating the response code. The helpdesk userwill be given the ability to select one of the three above authorization periods. After a valid responsecode has been entered, the user will not receive a new challenge code for the duration of timespecified by the helpdesks.

l Suppress messages once authorized – If theAuthorization Period has not been set toOne Use OnlytheSuppress messages once authorized option is enabled and configurable.

l Show Information tip – This option determines whether to show an information tip in the challenge box. Toconfigure the text of the information tip, seeMessage Text detailed on page 84.

l Maximum Attempts – This option determines how many attempts the user has to enter a successfulresponse code for each new challenge. Set this option to Three Attempts to restrict the user to threeattempts, otherwise set this option toUnlimited.

After the third failure to enter a valid response code, themessage will be canceled and the challenge codewill be rejected. The next time the user attempts to run the application, they will be presented with a newchallenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.

Authorization SettingsIf Authorization Type has been set toDesignated user must authorize this field becomes active. It allows youto choose between either:

l Yes – Both required – Both the challenge / response and the designated user credentials are required.l No – Either one sufficient – Either the challenge / response or the designated user credentials arerequired.


Email SettingsThe email settings are only enabled for blockingmessages.

l Allow user to email an application request – Select this option to allow the user to email a request to runan application (only available for theBlock Executionmessage type).

l Mail To – Email address to send the request to (separatemultiple email addresses with semicolons).l Subject – Subject line for the email request.

TheMail To andSubject fields can include parameterized values, which can be used with email based automatedhelpdesk systems. For help with using parameters, seeWindows Workstyle Parameters detailed on page 150.

Challenge / Response AuthorizationChallenge / Response authorization provides an additional level of control for access to applications and privileges,by presenting users with a 'challenge' code in an end-user message. In order for the user to progress, they mustenter a corresponding 'response' code into themessage.

Any policy that has amessage in with challenge / response needs a shared key. This key is defined when you setup the first challenge / responsemessage in your policy although you can change it later if required. If you create aworkstyle containing a challenge / responsemessage or you create a new challenge / responsemessage and youare not prompted to create a shared key then there is already a shared key for the policy. You cannot view thisshared key, however you can change it if required in the Design page of aMessage, seeChallenge / ResponseAuthorization detailed on the previous page.

Challenge / Response authorization is configured as part of an the end-user messages, and can be used incombination with any other authorization and authentication features of Defendpoint messaging.

Authorization is applied per user, per token, per application, meaning that each user is presented with challengecodes that when authorized, only apply to them, the token used to request access and the specific application.

Challenge and response codes are presented as an 8 digit number, to minimize the possibility of incorrect entry.When a user is presented with a challenge code, themessagemay be canceled without invalidating the code. If theuser runs the same application, they will be presented with the same challenge code. This allows users to requesta response code from IT helpdesks whomay not be immediately available to provide a response.

For more information on configuring challenge / response authorization enabled end user messages, seeMessageDesign detailed on page 76.

Shared Key

The first time you create a Defendpoint end user message with a challenge you are asked to create a shared key.The shared key is used by the Defendpoint Client to generate challenge codes at the endpoint.

Once you have entered a shared key, it will be applied to all end user messages that have challenge / responseauthorization enabled in the sameDefendpoint Settings.


To change the shared key:1. Right-click theMessages node of a workstyle and select Set Challenge / Response Shared Key.2. In theChallenge / Response Shared Key dialog box, edit theEnter Key andConfirm Keywith the new

Shared Key.3. Click OK to complete. If the key entered is not exact, you will be presented with a warningmessage.

We recommend that your shared key is at least 15 characters and includes a combination of alphanumeric,symbolic, upper, and lowercase characters. As a best practice, the shared key should be changedperiodically.

Generating a Response Code

There are two ways to generate a response code. You can either use the PGChallengeResponseUI.exe utilitythat is installed as part of the Defendpoint Policy Editor or you can generate them directly within theMMC.

In order to generate a response code youmust have set a Challenge / Response Shared key. You areprompted to do this when you create any policy that has a Challenge / Responsemessage assigned to it.Alternatively you can set the Challenge / Response Shared Key from the home page of the DefendpointSettings node by clickingSet Challenge / Response Shared Key.

You can generate a response code from the Defendpoint Management Console. This launches a tool calledPGChallengeResponseUI.exe. This tool is part of your installation and can be used independently of theDefendpoint Management Console. The tool is installed to this path:

<Installation Dir>\Avecto\Privilege Guard Management Consoles\

To generate a response code in the Defendpoint Management Console:1. Click the Defendpoint Settings node and then Tools on the right-hand side.2. Click Response Code Generator.3. Enter the shared key you have defined, and the challenge code from the end-user.4. The response code is generated once both theShared Key and the 8 character challenge code have been

entered.

The response value can then be sent to the end user to enter into their challenge dialog.

Generating a Response Code from the Command Line

Response codes can also be generated from the command line using the PGChallengeResponse.exe commandline utility, which is installed as part of the Defendpoint Policy Editor installation, and is located in the followingdirectory:

C:\Program Files\Avecto\Privilege Guard Management Consoles\


To generate a response code from the command line:1. Open the Command Prompt by clicking the Start Menu and typing cmd.exe.2. In the Command Prompt, type the following command, then press Enter: cd "\program

files\avecto\privilege guard management consoles"

3. Once you have opened the privilege guard management consoles directory, type the followingcommand (where <challenge> is the challenge code presented to a user):pgchallengeresponse.exe <challenge>

4. At theShared Key prompt, enter the correct shared key, then press Enter.

PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the DefendpointPolicy Editor.

Automating Response Code Generation

The PGChallengeResponse.exe utility supports full command line use, allowing it to be easily integrated intoany third party workflow that supports the execution of command line executables. The command line is asfollows:

PGChallengeResponse.exe <challenge code> <shared key> <duration>

The duration parameter is optional.

Where <challenge code> is the code presented to the user and <shared key> is the key that was configuredwithin the Defendpoint Settings which presented the end user message.

The utility will return the response code as an exit code, so it can be captured from within a custom script orwrapper application. The options for the optioanl <duration> parameter are once | session | forever.

Below is an example VBScript:

Dim WshShell, oExecDim strChallenge,strKey,strExecutable, strTypestrExecutable = "C:\Program Files\Avecto\Privilege Guard ManagementConsoles\PGChallengeResponse.exe"strChallenge = InputBox("Enter Challenge Code from user","Challenge")strType = InputBox("Would you like a Once, Session, or Forever key?","Type")strKey = InputBox("Enter Authorization Key from policy","Key")Set WshShell = WScript.CreateObject("WScript.Shell")Set oExec = WshShell.Exec(strExecutable & " " & strChallenge & " " & strType &" " & strKey )Do While oExec.Status = 0WScript.Sleep 100Loopmsgbox "Response Code: " & oExec.ExitCodeSet WshShell = NothingSet oExec = Nothing


5.5.6 - Message TextAll of the text in themessage can be configured in theMessage Text section. You can add an additional languagehere and localize the text that you enter for themessage text, see Languages detailed below for more information.

We recommended that you change the default text strings, as they are all English placeholders. After you havemade a change to themessage text, click Update to see your changes applied to the preview message.

The text in any text string can include parameterized values which providemore personalizedmessages for users.For help with using parameters, seeWindows Workstyle Parameters detailed on page 150.

l Languages detailed belowl General detailed belowl Information detailed on the next pagel Publisher detailed on the next pagel User Reason detailed on the next pagel User Authentication detailed on the next pagel Challenge / Response Authorization detailed on page 86l Smart Card Authorization detailed on page 86l Buttons detailed on page 86

LanguagesYou can configure the text in themessages to display a language of your choice. To add a new language click AddLanguages and select the language you want to use from the drop-down list. You can set this language to be thedefault language by clickingSet As Default.

Defendpoint checks the locale of the user's language and tries tomatch it to a language in Defendpoint that you'veset up. If it finds amatch then the strings for that language are displayed for themessage text. If it doesn't find amatch the language that you have assigned to be the default language is used.

Defendpoint doesn't localize the text into the language you have selected. You need to edit themessage textin your chosen language.

If you havemore than one language then you can set the default language. This is the language that will be used ifan end user is using a language that has not been defined. The default language is set to English, but youmaychange the default language:

1. Select the language you want to set as the default language.2. Click Set As Default.

If you delete a language that has been set to the default language then the language at the top of the languagelist is set to the default language. Youmust always have at least one language defined.

GeneralCaption controls the text at the top of the dialog box.

Header Message controls the text to the right of the icon in the header if it's shown.

Body Message controls the text at the top of themainmessage.


Refer URL controls the hyperlink for the Refence URL if you selected to show it in the in theMessage Design.

Refer Text controls the text of the hyperlink for Reference URL if you selected to show it in theMessage Design.

InformationMessage Mode determines where themessage can be assigned. Messages can be assigned to application rules,on-demand application rules and content rules. Select Automatic to allow the rule type to determine the informationthat is displayed (Application or Content). Select Manual to enter your own information in the Custom fields. Thisinformation is displayed irrespective of the type of rule.

Application Line One Label controls the first line. For Automatic mode this is the Application Program Name.

Application Line Two Label controls the second line. For Automatic mode this is the Application ProgramPublisher.

Application Line Three Label controls the third line. For Automatic mode this is the Application Program Path.

Content Line One Label controls the first line. For Automatic mode this is the Control Content Name.

Content Line Two Label controls the second line. For Automatic mode this is the Content Owner.

Content Line Three Label controls the third line. For Automatic mode this is the Control Program.

PublisherProgram Publisher (Unknown) controls the text that is displayed for the variable [PG_PROG_PUBLISHER] ifit's not known.

Verification Failure controls the text that is displayed in the next to the Publisher if the publisher verification fails.

Defendpoint verifies the publisher by checking that there is a publisher and also checking that the certificateassociated with that publisher is signed. Defendpoint does not check to see if the certificate has been revoked dueto the length of the lookup process that would rely on network connectivity. Instead, Privilege Guard relies on theCertificate Store to be kept up to date with revoked certificates, which would be a standard operation as the fullchain should be in the local certificate store.

User ReasonReason controls the text above the field where the end user can enter their reason.

Reason Error Message controls the text that is displayed if the end user clicks Yes and doesn't enter a reason.

Drop-down list prompt controls the tex above the user reason prompt.

User Reason List allows you to select from the user reasons. You canmodify the User Reason List using theAdd, Edit andDelete buttons.

User AuthenticationUser name controls the text adjacent to the field where the user would enter their user name.

Password controls the text adjacent to the field where the user would enter their password.

Domain controls the text below the password field that introduces the domain.


Unauthorized credentials controls the text that is displayed if the end user enters credentials that aren't valid forthe requested operation.

Challenge / Response AuthorizationHeader text controls the text that introduces the challenge / response authorization.

Hint text controls the text that is in the response code field for challenge / responsemessages.

Information Tip Text controls the text above the challenge and response code fields.

Error Message Text controls the text that is displayed to the end user if they enter an incorrect response code andclick Yes.

Smart Card AuthorizationCard Prompt controls the text that introduces the card prompt.

Card Reading controls the text that is displayed when the card is being read.

Card Pin controls the text that is displayed when the card pin is provided.

Card Error controls the text that is displayed if there is an error reading the card.

No Certificate Error controls the text that is displayed when there is no certificate.

Incorrect Certificate Errorcontrols the text that is displayed when there is an incorrect certificate.

ButtonsDepending on themessage options themessage box will have either one or two buttons:

l For a prompt, themessage box will haveOK andCancel buttons.l For a blockingmessage withAllow user to email an application request enabled themessage box willhaveOK andCancel buttons. We recommend you change theOK button text to be “Email”, unless youmake it clear in themessage text that theOK button will send an email request.

l For a blockingmessage withAllow user to email an application request disabled themessage box willonly have anOK button.

You can change theOK Button andCancel Button text. For instance, you can change it to “Yes” and “No” if youare asking the end user a question.

l Buttonsl OK Buttonl Cancel Button

5.6 - Custom TokensAccess tokens (and custom tokens) are assigned to an application, or when content is being edited, to modify theprivileges of that activity. Within an access token is a collection of settings that specify the groupmemberships,associated privileges, integrity level and process access rights.


Defendpoint includes a set of built-in access tokens that can be used to add administrator rights, removeadministrator rights, or enforce the users default privileges. A ‘passive’ access token is also available that does notchange the privileges of the activity, but still applies anti-tamper protection.

Access tokens are assigned to applications or content through rules within a workstyle. For more advancedconfigurations, custom tokens can be created where groupmemberships, privileges, permissions and integrity canbemanually specified. You can optionally define any number of custom tokens.

5.6.1 - Creating Custom TokensTo create a new custom token:

1. Navigate to Defendpoint Settings > Windows > Custom Tokens.2. Right-click and click New Custom Token. Select from the following options:

l Create a token which adds Administrator rightsl Create a token which removes Administration rightsl Create a blank token

3. For the first two options, theWindows privileges that are assigned to that token are pre-selected for youalthough you can change them if required. You can enter text in the Filter box to filter the list in real time.

4. Click Finishwhen you have assigned the required privileges to the token.

The new custom token is displayed beneath theCustom Tokens node. Click the new token to display the TokenSummary.

Youmay now define theGroups, Privileges, Integrity Level andProcess Access Rights for the custom token.

5.6.2 - Editing Custom Tokensl Groups detailed belowl Privileges detailed on the next pagel Integrity Level detailed on the next pagel Process Access Rights detailed on page 89

GroupsTheGroups section of the custom token specifies the groups that will be added or removed from the token.

To insert a group:1. Select Groups from the top tab. The Token groups appear in the right-hand pane.2. Right-click and select Add a new account.3. Enter the object names and click Check Names to validate it.4. By default, when you insert a group theAdd Account check box is selected, and the group will be added to

the custom token. If you want to remove the group from the custom token, select theRemove check boxinstead.


Domain and well known groups will display aSecurity Identifier (SID). The SID will be used by the DefendpointClient, which will avoid account lookup operations. For local groups the namewill be used by the DefendpointClient, and the SID will be looked up when the custom token is created by the client. Local Accountwill appear inthe SID column of the groups list for local groups.

Setting the Token Owner

By default, the owner of a custom token that includes the administrators group will have the owner set to theadministrators group. If the administrators group is not present in the custom token then the user is set as theowner.

If you want the user to be the owner, regardless of the presence of the administrators group, then select theEnsurethe User is always the Token Owner check box.

Anti-Tamper Protection

By default, Defendpoint prevents elevated processes from tampering with the files, registry and service that makeup the client installation. It also prevents any elevated process from reading or writing to the local Defendpointpolicy cache.

If you want to disable anti-tamper protection, then clear theEnable anti-tamper protection check box.

Under normal circumstances, this option should remain enabled, except in certain scenarios where elevatedtasks require access to protected areas. For instance, if you are using an elevated logon script to update thelocal Defendpoint policy.

PrivilegesThePrivileges section of the custom token specifies the privileges that will be added to or removed from thecustom token.

If you want to add a privilege to the custom token then select theAdd check box for the relevant privilege. If youwant to remove a privilege from the custom token then select theRemove check box for the relevant privilege.

You can also select multiple privileges and use the following options on the right-click menu:l Reset Privilegel Add Privilegel Remove Privilegel Add Admin Privilegesl Remove Admin Privileges

To clear all of the privileges in the custom token before applying privileges, select theRemove all existingprivileges in access token before applying privileges check box. If this check box is left cleared then theprivileges are added or removed from the user’s default custom token.

Integrity LevelThe Integrity Level section of the custom token specifies the integrity level for the custom token.


To set the integrity level:1. Select the Integrity Level node in the left-hand pane. The integrity levels appear in the right-hand pane as

radio buttons. 2. Set the appropriate integrity level.

The integrity level should be set as follows:

Integrity Level DescriptionSystem Included for completion and should not be required

High Set the integrity level associated with an administrator

Medium Set the integrity level associated with a standard user

Low Set the integrity level associated with protectedmode (an applicationmay failto run or function in protectedmode)

Untrusted Included for completion and should not be required

Process Access RightsTheProcess Access Rights section of a custom token allows you to specify which rights other processes willhave over a process launched with that custom token.

Tokens that include the administrators group have a secure set of access rights applied by default, which willprevent code injection attacks on elevated processes initiated by processes running with standard user rights in thesame session.

Select or clear theAccess Right Name check box to enable or disable a specific access right.

You can also select multiple privileges and use the following options on the right-click menu:l Reset all to defaultl AddRightl Remove Right


The access rights should be set as follows:

Access Rights DescriptionGENERIC_HEAD Read access.

PROCESS_CREATE_PROCESS Required to create a process.

PROCESS_CREATE_THREAD Required to create a thread.

PROCESS_DUP_HANDLE Required to duplicate a handle usingDuplicateHandle.PROCESS_QUERY_INFORMATION Required to retrieve certain information about a process, such as its

token, exit code, and priority class

PROCESS_QUERY_LIMITED_INFORMATION

Required to retrieve certain information about a process

PROCESS_SET_INFORMATION Required to set certain information about a process, such as its priorityclass

PROCESS_SET_QUOTA Required to set memory limits usingSetProcessWorkingSetSizePROCESS_SUSPEND_RESUME Required to suspend or resume a process

PROCESS_TERMINATE Required to terminate a process using TerminateProcessPROCESS_VM_OPERATION Required to perform an operation on the address space of a process

PROCESS_VM_READ Required to readmemory in a process usingReadProcessMemoryPROCESS_VM_WRITE Required to write to memory in a process using

WriteProcessMemoryREAD_CONTROL Required to read information in the security descriptor for the object,

not including the information in the SACL

SYNCHRONIZE Required to wait for the process to terminate using the wait functions


Chapter 6 - Defendpoint Policies for OS XA Defendpoint policy for macOS / OS X is built up with the following optional components:

l Workstyles detailed belowl A workstyle is part of a policy. It's used to assign application rules for users. You can createworkstyles using theWorkStyleWizard or import them.

l Application Groups detailed on page 96l Application Groups are used by Workstyles to group applications together to apply certainDefendpoint behavior.

l Messages detailed on page 110l Messages are used by Workstyles to provide information to the end user when Defendpoint hasapplied certain behavior that you've defined and need to notify the end-user.

Mac Policies are not applied to the root user.

6.1 - WorkstylesDefendpoint workstyles are used to assignApplication Groups detailed on page 96 for a specific user, or group ofusers. TheWorkstyle wizard can generate Application Rules depending on the type of Workstyle you choose. SeeCreating Workstyles detailed on the next page for more information.

6.1.1 - Workstyle WizardThe workstyle wizard guides you through the process of creating a Defendpoint workstyle. The options you selectdetermine the function of the workstyle.

1. Navigate to theOS X > Workstyles node.2. Right-click theWorkstyles node and then click Create Workstyle on the top-right. The workstyle wizard is







8. l how youmanage Authorization prompts including sudo control and Installer privileges






Depending on the type of workstyle you created and any capabilities that have been included, Defendpoint willauto-generate certainApplication Groups detailed on page 96 (containing rules), andMessages detailed onpage 110. Filters are applied and subsequently configured as part of the workstyle.

6.1.2 - Creating WorkstylesThe workstyle wizard guides you through the process of creating a Defendpoint workstyle. The options you selectdetermine the function of the workstyle.

1. Navigate to theOS X > Workstyles node.2. Right-click theWorkstyles node and then click Create Workstyle on the top-right. The workstyle wizard is







8. l how youmanage Authorization prompts including sudo control and Installer privileges






Depending on the type of workstyle you created and any capabilities that have been included, Defendpoint willauto-generate certainApplication Groups detailed on page 96 (containing rules), andMessages detailed onpage 110. Filters are applied and subsequently configured as part of the workstyle.

Disabling / Enabling WorkstylesYou can enable or disable workstyles to stop them being processed by the Defendpoint Client.

To enable / disable a workstyle:1. Navigate to the policy and select theWorkstyles node. You can see which policies are disabled and

enabled in the list.2. Right-click on the workstyle and click Disable Workstyle to disable it orEnable Workstyle to enable it

In the above example, the General Rules workstyle is enabled and the High Flexibility workstyle is disabled.

Workstyle PrecedenceIf you havemultiple workstyles they are evaluated in the order that they are listed in. Workstyles that are higher inthe list have a higher precedence. Once an applicationmatches a workstyle, no further workstyles are processedfor that application, so it is important that you order your workstyles correctly because an application couldmatchmore than one workstyle.

To change the precedence of a workstyle:1. Select theWorkstyles node in the left-hand pane.2. Right-click and choose from the options;Move Top,Move Up,Move Down,Move Bottom as required.


6.1.3 - Workstyle SummaryYou can view a summary of theWorkstyles, Application Groups, andMessages in your policy for Mac by clickingthe OS X node in the policy editor.

Some of these tabs may not be displayed if they've not been configured in your policy.

l Overview detailed belowl Application Rules detailed belowl Account Filters detailed on page 96

6.1.4 - OverviewTheOverview tab allows you to quickly access the following features of your policy:

l Generall Allows you to edit the description of your workstyle and enable or disable it.

l Totalsl Allows you to configure the following types of rule:

l Application Rules detailed below

l Filtersl Allows you to configure the following Filters:

l Account Filters detailed on page 96

6.1.5 - Application RulesApplication rules are applied toApplication Groups detailed on page 96. Application rules can be used to enforcewhitelisting, monitoring and assigning privileges to groups of applications. They are a set of rules that apply to theapplications listed in the application group.

You need an Application Group before you can create an Application Rule, seeCreating Application Groupsdetailed on page 96.

Inserting an Application Rule1. Click Application Rules to view, create or modify the following for each application rule:


list.











Auditing








Application Rule PrecedenceIf you addmore than one application rule to a workstyle, then entries that are higher in the list will have a higherprecedence. Once an applicationmatches an application rule, no further rules or workstyles will be processed. If anapplication couldmatchmore than one workstyle or rule, then it is important that you order both your workstylesand rules correctly. You canmove application rules up and down to change the precedence.

6.1.6 - FiltersThe Filters tab of a workstyle can be used to further refine when a workstyle will actually be applied. By default, aworkstyle will apply to all users/computers who receive it. However, you can add one or more filters that will




restrict the application of the workstyle:

Account FiltersAccount filters specify the users and groups the workstyle will be applied to.

When a new workstyle is created, a default account filter will be added to target eitherStandard users only,orEveryone (including administrators), depending on your selection in the workstyle wizard.

To restrict a workstyle to specific groups or users you can filter on the Account Name or the UID/GID or both.

1. Expand the appropriate workstyle in the left-hand pane and click Filters.2. Select Add a new local OS X accountorAdd a new domain account if you want to useWindows AD to

create your filters. If you choose this option you need to create amapping between yourWindows SID andOS X UID/GUID, see https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ for more infomration. You can choose to filterby User or Group.

l For User, you canmatch on the Account Name, the User ID or both. In the instance of both, theybothmust match for the filter to be applied. The Account Name is not case sensitive.

l For Group you canmatch on theGroup Name, the Group ID or both. In the instance of both, they bothmust match for the filter to be applied. TheGroup Name is not case sensitive.

3. Click OK to finish configuring your filter.

By default, an account filter will apply if any of the user or group accounts in the list match the user. If you havespecifiedmultiple user and group accounts within one account filter, and want to apply the workstyle only if allentries in the account filter match, then check the check box at the top of the screen that says All items belowshould match.

You can addmore than one account filter if you want the user to be amember of more than one group of accountsfor the workstyle to be applied.

If an account filter is added, but no user or group accounts are specified, a warning will be displayed advisingNoaccounts added, and the account filter will be ignored.

If All items below should match is selected, and you havemore than one user account listed, theworkstyle will never apply as the user cannot match two different user accounts.

6.2 - Application GroupsApplication groups are used to define logical groupings of applications.

Application groups are assigned to workstyles, so youmust define application groups for all of the applications youwant to assign to a workstyle.

6.2.1 - Creating Application GroupsTo create a application group:

1. Navigate to theOS X > Application Groups node.2. Right-click theApplication Groups node and then click New Application Groups on the top-right. The

workstyle wizard is displayed.


https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/

https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/

3. Enter a name and a description (if required) for the new application group. Click OK to save your newapplication group.

6.2.2 - Viewing or Editing the Properties of an Application GroupEach application group has a name, an optional description and can be hidden from the policy navigation tree. Youcan edit these in the properties for the application group.

To view the properties of an application group:1. Navigate to theOS X > Application Groups node.2. Right-click theApplication Groups and click Properties to view the properties. Make any changes you

require and click OK to save the new properties.

6.2.3 - Deleting an Application GroupApplication groups are usually mapped to one or more application rule in a workstyle. If you attempt to delete anapplication rule that is mapped to an application group you are notified of this before you continue. If you continue todelete the application group, the associated application rule in the workstyle is also deleted.

To delete an application group:1. Navigate to theOS X > Application Groups node.2. Right-click on the Application Group that you want to delete and click Delete.3. If there aren't any application rules in the workstyle using that application group then it is deleted. If there are

application rules in the workstyle that are referencing that application group then you are prompted to checkthe reference before you continue. If you click OK then both the application group and the application rulethat references it are deleted from your policy. If you don't want to do this, click Cancel.

6.2.4 - Duplicating an Application GroupYou can duplicate a application group if you need a new application group that contains the same applications as anexisting application group. You can edit a duplicated application group independently of the application group it wasduplicated from.

To duplicate a application group:

1. Navigate to theOS X > Application Groups node.2. Right-click on the Application Group you want to duplicate and click Copy.3. Select the Application Groups node, right-click and select Paste. This will make a new copy of the

application group and all the application rules it contained.4. A new duplicate Application Group with an incremental number in brackets appended to the namewill be

created that you can add applications to.

6.2.5 - Rule PrecedenceIf you addmore than one application rule or content rule to a workstyle then entries that are higher in the list willhave a higher precedence. Once a target matches a rule, no further rules or workstyles will be processed for thattarget. If a target couldmatchmore than one workstyle or rule then it is important that you order both yourworkstyles and rules correctly.

To change the precedence of a rule within a workstyle:


1. Expand the relevant workstyle and then select the rule type tab: Application, On-Demand, or Content.2. Right click on the rule and use the following options to change the rule precedence:Move Top,Move Up,

Move Down, andMove Bottom.

6.2.6 - Application DefinitionsAll matching criteria are case sensitive on macOS.

Application definitions allow you to target applications based on specific properties. When an application isexecuted, Defendpoint will query the properties of the application and attempt to match them against thematchingcriteria in the definition. If a match is made, then the rule is applied. If any of thematching criteria do not match thenneither will the definition, and Defendpoint will attempt to match against subsequent definitions in the applicationgroup.

Defendpoint will continue this process for subsequent application groups defined in application rules until asuccessful match is made and the rule is applied. If nomatches aremade, then no rule will be applied to theapplication, and it will run as normal.

The Defendpoint Client must match every definition you configure before it will trigger amatch (the rules arecombined with a logical AND).

Application definitions that require amatch can also be negated. To target applications that do not match thedefinition, select does NOT match from the drop-down.

Application Requests AuthorizationThe application requires authorization so you need to approve that request. Anything in macOS that has a padlockon the dialog box or where the system requires authorization to change something. You canmatch on the AuthRequest URI which is unique to the application.

When an application triggers an authorization request, the application will use a unique Auth Request URI. ThisURI will be different to the URI of the application itself. This matching criteria allows you to target any authorizationrequest by matching the Auth Request URI, allowing you to target that specific Auth Request URI and apply yourown controls.

This matching criteria can be used in combination with other criteria to target authorization requests from specificapplications, if more than one application uses the same Auth Request URI.

When this matching criteria is used in a definition, it will only match the authorization request of the application, andnot the execution of the application. If you want to apply rules to both the application execution and applicationauthorization request, then separate definitions must be created for each.

If you want to apply different rules to application execution and application authorization requests, then definitionsmust be added to different application groups and applied to different application rules.

This matching criteria includes the followingmatching options:

l Auth Request URI for example system.preferences.datetime)l Exact Matchl Starts Withl Ends With


l Containsl Regular Expressions. SeeRegular Expressions Syntax detailed on page 148 for more information.

Each option supports the use of wildcards:? - matches any one character* - matches any string of characters?* - matches any string that contains at least one character

Command Line ArgumentsThe Command Line Arguments matching criteria allows you to target a binary or sudo command based on thearguments passed to the command that is being executed on the command line. Command Line Arguments can beexecuted either through the Terminal, or through a script. With this matching criteria you can apply a specific action(such as block, allow or just audit) to specific Command Line Arguments, rather than just applying actions to theuse of the binary or sudo command.

The Command Line Arguments matching criteria will match specifically the arguments passed to the binary or sudocommand. The following example shows a command for listing the contents of the /Applications directory:

MyMac:~ standarduser$ ls -la /Applications

l ls is the binary being executed, and is targeted by using the File or Folder Namematching criteria in aBinary definition.

l -la /Applications are the arguments being passed to ls, and is targeted by using the Command LineArguments matching criteria in a Binary definition.

Defendpoint will only match the command line arguments, which will not include the beginning binary or sudocommand being executed. If you want to match both the binary / sudo command and the command line, thenboth the File or Folder Name and the Command Line Arguments matching criteria must be enabled andpopulated in the definition.

This matching criteria allows you to target all, or just parts of the command line being used. This is achieved byinserting wildcards into theCommand Line Arguments string, defining which part of the command line you wantto match, or by using a regular expression.


l Command Line Arguments (for example -la /Applications)l Exact Matchl Starts Withl Ends Withl Containsl Regular Expressions. SeeRegular Expressions Syntax detailed on page 148 for more information.


This matching criteria can be used with the following application types:


l Binariesl Sudo Commands

You canmatch on any command line argument with the exception of those listed inMac Command ArgumentsNot Supported detailed on page 143.

File or Folder Name matchesThis matching criteria allows you to target applications based on their name / path on disk. It is an effective way ofautomatically whitelisting applications that are located in trusted areas of the filesystem (forexample//Applications or /System), and for targeting specific applications based on their full path.

This matching criteria can be used in combination with other criteria in a definition, giving youmore granularity overwhich applications you can target based on their properties . Although youmay enter relative file names, westrongly recommended that you enter the full path to a file.

Applications can bematched on the file or folder name. You can choose tomatch based on the following options(wildcard characters ? and * may be used):

l File or Folder Name (for example /Applications/iTunes.app)l Exact Matchl Starts Withl Ends Withl Containsl Regular Expressions. SeeRegular Expressions Syntax detailed on page 148 for more information.


You canmatch on the file path containing or starts with the /AppTranslocation/ folder, however werecommend you block all applications attempting to run from this location to ensure that unsigned applications arenot run. Instead, we recommend you run applications from the /Applications/ folder.

File Hash (SHA-1 Fingerprint)This definition ensures that the contents of the application (which can normally be edited by any user) remainunchanged, as changing a single character in the script will cause the SHA-1 Hash to change.

A File Hash is a digital fingerprint of an application, generated from the contents of application binary or bundle.Changing the contents of an application will result in an entirely different hash. Every application, and every versionof the same application, has a unique hash. Defendpoint uses hashes to compare the application being executedagainst a hash stored in the configuration.

File Hashmatching is themost specific criteria, as it can be used to ensure that the application being run is theexact same application that was used when creating the definition, and that it has not beenmodified.


l File Hash



l Binariesl Bundlesl Packagesl System Preferencesl Sudo Commands

Although File Hash is themore reliable matching criteria for matching a specific application, youmust ensurethat definitions are kept up to date. When updates are applied to the endpoint, new versions of applicationsmay be added, and so their SHA-1 hashes will be different. Applications on different versions of OS X ormacOS will also have different SHA-1 hashes.

File Version matchesIf the application you entered has a File Version property then it is automatically extracted and you can choose toCheck Min Version and/or Check Max Version and edit the version number fields.

For application types that have defined versions, you can optionally use the File Versionmatching criteria to targetapplications of a specific version or range of versions. This allows you to apply rules and actions to certain versionsof an application, for example blocking an application if it’s version is less than the version defined in the definition.

File Versionmatching can be applied either as aminimum required version, as amaximum required version, or youcan use both to define a range of versions (between aminimum and amaximum).


l File Min Versionl File Max Version


l Bundlesl System Preferences

Parent Process matchesThis option can be used to check if an application’s parent process matches a specific application group. Youmustcreate an application group for this purpose or specify an existing application group in the Parent Process group.Settingmatch all parents in tree to True will traverse the complete parent/child hierarchy for the application, lookingfor any matching parent process, whereas setting this option to False only checks the application’s direct parentprocess.

When a new application executes it is executed by another process, or ‘parent’ process. In most cases onOS XandmacOS, the parent process will be launchd. However, sometimes applications like binaries and bundles areexecuted by other applications. For example, binaries like curl can be executed from the Terminal, and will becreated as a child of the Terminal process. However, curl can also be used by applications.

The Parent Process matching criteria allows you to the target applications based on their parent process, so thatyou can apply different rules and actions depending on where the application is being executed from. In the


example above, you can use Parent Process matching to allow curl to be used by an authorized application, butstill block users from executing it directly, in the Terminal.

Parent Processes are defined as an application group, so that you can identify multiple parents without having tocreatemultiple definitions. This alsomeans that the parent process can be defined as any type of application(binary, bundle, system preference or package), using any of the relevant matching criteria for each application.


l Parent Process Group (drop-downmenu of all application groups that exist in the configuration)

This definition can be used with the following application types:

l Binariesl Bundlesl Sudo Commands

Publisher matchesThis option can be used to check for the existence of a valid publisher. If you have browsed for an application, thenthe certificate subject namewill automatically be retrieved, if the application has been signed. ForWindowssystem files theWindows security catalog is searched, and if a match is found then the certificate for the securitycatalog is retrieved. Publisher checks are supported on Executables, Control Panel Applets, Installer Packages,Windows Scripts and PowerShell Scripts. By default a substringmatch is attempted (Contains). Alternatively, youmay choose to patternmatch based on either a wildcardmatch (? and *) or a Regular Expression. The availableoperators are identical to the File or Folder Name definition.

Some applications are digitally signed with a certificate, giving a guarantee that the application is genuine and froma specific vendor. The certificate also ensures that the application has not been tampered with by an unauthorizedsource. The vendor who owns the certificate can be identified from certain properties of the certificate, which arereferred to as Authorities. A certificate typically contains several Authorities linked together in a chain of trust.

If you want to check if an application has been digitally signed, and what the certificate Authorities are, use thefollowing command – in this example, checking the certificate of the iTunes.app application bundle:

Codesign -dvvv /Applications/iTunes.app/

If the application has a certificate, there will be one or more Authorities listed in the output:

Authority=Software SigningAuthority=Apple Code Signing Certification AuthorityAuthority=Apple Root CA

In the output, the first Authority listed is the authority most specific to the application. In this example, you can seethat Apple use the certificate Authority Software Signing to digitally sign iTunes.app.

With the Publisher matching criteria, you can target applications based on the publisher information contained in itscertificate. This matching criteria can also be used in combination with other matching criteria, as a way of ensuringthe application is a genuine application from the vendor.


All apps downloaded from the Apple Store will have certificates with the same authority, as Apple resigns allapplications beforemaking them available in the Apple Store.


l Publisher (For example, the Publisher for Applie applications is Software Signing)l Exact Matchl Starts Withl Ends Withl Containsl Regular Expressions. SeeRegular Expressions Syntax detailed on page 148 for more information.



l Binariesl Bundlesl Packagesl System Preferencesl Sudo Commands

SourceIf an application was downloaded using a web browser, this option can be used to check where the application orinstaller was originally downloaded from. The application is tracked by Defendpoint at the point it is downloaded, sothat if a user decided to run the application or installer at a later date, the source can still be verified. By default asubstringmatch is attempted (Contains). Alternatively, you can choose to patternmatch based on either a wildcardmatch (? and *) or a Regular Expression. The available operators are the same as the File or Folder Namedefinition.

URIEvery macOS application bundle has a defined Uniform Resource Identifier (URI), a property that uniquelyidentifies the application to the system. URI’s follow a specific structure, typically referencing the vendor andapplication. For example, the URI for Apple iTunes is com.apple.iTunes.

The URI matching criteria provides an effective way of targeting applications where the filename or file pathmaynot always be known. It is also an effective way of targeting applications from a specific vendor.

This matching criteria can also be used in combination with other matching criteria, as a way of ensuring theapplication is a genuine application from the vendor.

This is the Unique Request Identifier for the application bundle. You can choose tomatch based on the followingoptions (wildcard characters ? and * may be used):


l URI (For example, com.apple.iTunes)l Exact Matchl Starts Withl Ends Withl Containsl Regular Expressions. SeeRegular Expressions Syntax detailed on page 148 for more information.



l Bundles

6.2.7 - Management of Disk Mounted ImagesDefendpoint examines each Disk Mounted Image (DMG) and, if there's one or more bundles of applications in theDisk Image, where the application is associated with a Defendpoint 'Allow' rule, the user is allowed to copy thosebundles(s) to the System Applications folder on the endpoint.

If the applications do not have an Defendpoint 'Allow' rule, the copying of the bundle defaults to normal macOSfunctionality where admin credentials are required to copy the bundle to the System Applications folder. StandardmacOS functionality is used if anything other than an ‘Allow’ rule is associated with the application bundle in theDMG, such as ‘Block’ or ‘Passive’.

Configuration of the defendpoint.plist FileManagement of DMGs is controlled by default, but it can be turned off by editing the defendpoint.plist file.

The location for the defendpoint.plist file is:

/Library/Application Support/Avecto/Defendpoint/defendpoint.plist

The MountAssist key should be set to false to turn off the Defendpoint management of DMG files (it is setto true by default):

<key>MountAssistant</key><false/>

You need to restart the defendpointd daemon after you have edited the defendpoint.plist file forany changes to take effect. This can either be done by restarting the machine or by running thesecommands from your terminal:

sudo launchctl unload /com.avecto.defendpointd.plistsudo launchctl load /com.avecto.defendpointd.plist


Format of MessagesWithin the defendpoint.plist file in the key tag you can alsomodify the string that is used for themessaging.

The format of themessages is a 'key' and 'string' tag:

<key>MountMessageAllow</key><string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" toApplications?</string>

The following placeholders can be used:l [APP_NAME]

l Replaced by the Application Name.

l [MOUNT_NAME]l Replaced by the VolumeName of themounted DMG.

When you enter your own strings for the above keys, the formatting is 'what you see is what you get'. For example,if you press Enter then you will get a new line.

You can configure the message that is displayed to the user at the endpoint in the following scenarios:l MountMessageAllow

l Message that appears when a DMG containing an allowed bundle, is mounted.

l MountMessageNoteSamel Message that appears in smaller text below the ‘MountMessageAllow’ message if the bundle isallowed, but the same version exists in the destination.

l MountMessageNoteNewerl Message that appears in smaller text below the ‘MountMessageAllow’ message if the bundle isallowed but a newer version of the bundle exists in the destination.

l MountMessageNoteOldl Message that appears in smaller text below the ‘MountMessageAllow’ message if the bundle isallowed but an older version of it exists in the destination.

l MountNotificationSuccessl Message that appears in themacOS notification center, when the copying process succeeds.

l MountNotificationFailurel Themessage that appears in themacOS notification center when the copying process fails

If themessage keys above have not been set, Defendpoint uses the default values/strings.


If you enter the <key> but do not specify the <string>, then themessage will be empty.

Youmust use escaped characters for valid XML such as the examples below:

Symbol Escaped Form“ &quot”

& &amp”

‘ &apos”

< &lt”

> &gt”

Message Examples

The following examples show samplemessages in the defendpoint.plist file.

<key>MountMessageAllow</key><string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" toApplications?</string>

<key>MountMessageNoteSame</key><string>Note: same version of the item named "[APP_NAME]" already exists inthis location.</string>

<key>MountMessageNoteNewer</key><string>Note: a newer version of the item named "[APP_NAME]" already exists inthis location.</string>

<key>MountMessageNoteOlder</key><string>Note: an older version of the item named "[APP_NAME]" already exists inthis location.</string>

<key>MountNotificationSuccess</key><string>"[APP_NAME]" was successfully copied from "[MOUNT_NAME]" into theApplications older.</string>

<key>MountNotificationFailure</key><string>"[APP_NAME]" was not successfully copied from "[MOUNT_NAME]" into theApplications folder.</string>

6.2.8 - Inserting a BinaryMatching criteria is case sensitive.

1. Select the application group you want to add the binary control to.2. Right-click and select Insert Application > Binary.3. Enter a File or Folder Name or click Template to choose a template.4. Enter a description or accept the default and click Next. You can leave theDescription blank tomatch on

all binaries.


5. You need to configure thematching criteria for the binary. You can configure:l File or Folder Name matches detailed on page 100l File Hash (SHA-1 Fingerprint) detailed on page 100l Application Requests Authorization detailed on page 98l Command Line Arguments detailed on page 99l Publisher matches detailed on page 102l Parent Process matches detailed on page 101

6. Click Finish. The Binary is added to the application group.

6.2.9 - Inserting a BundleMatching criteria is case sensitive.

1. Select the application group you want to add the bundle control to.2. Right-click and select Insert Application > Bundle.3. Enter a File or Folder Name or click Template to choose a template.4. Enter a description or accept the default and click Next. You can leave theDescription blank tomatch on

all bundles.5. You need to configure thematching criteria for the bundle. You can configure:

l File or Folder Name matches detailed on page 100l File Hash (SHA-1 Fingerprint) detailed on page 100l Source detailed on page 103l File Version matches detailed on page 101l URI detailed on page 103l Application Requests Authorization detailed on page 98l Publisher matches detailed on page 102l Parent Process matches detailed on page 101

6. Click Finish. The Bundle is added to the application group.

6.2.10 - Inserting a PackageMatching criteria is case sensitive.

1. Select the application group you want to add the package to.2. Right-click and select Insert Application > Package.3. Enter a File or Folder Name or click Template to choose a template.4. Enter a description or accept the default and click Next. You can leave theDescription blank tomatch on

all packages.5. You need to configure thematching criteria for the package. You can configure:

l File or Folder Name matches detailed on page 100l File Hash (SHA-1 Fingerprint) detailed on page 100l Application Requests Authorization detailed on page 98l Publisher matches detailed on page 102

6. Click Finish. The Package is added to the application group.


6.2.11 - Inserting a Sudo CommandMatching criteria is case sensitive.

1. Select the application group you want to add the sudo command to.2. Right-click and select Insert Application > Sudo Command.3. Enter a File or Folder Name or click Template to choose a template.4. Enter a description or accept the default and click Next. You can leave theDescription blank tomatch on

all sudo commands.5. You can leave theDescription blank tomatch on all sudo commands.6. You need to configure thematching criteria for the sudo command. You can configure:

l File or Folder Name matches detailed on page 100l File Hash (SHA-1 Fingerprint) detailed on page 100l Command Line Arguments detailed on page 99l Publisher matches detailed on page 102l Parent Process matches detailed on page 101

7. Click Finish. The Sudo command is added to the application group.

Sudo SwitchesDefendpoint supports running sudo commands with the following switches:

l -b, --backgroundl -e, --edit – this switch needs configuring in Defendpoint for it to be supported, seeEdit -e Switch detailedon the next page

l -i, --loginl -S, --stdinl -s, --shelll -V, --version

When a sudo command is run, Defendpoint ignores any switches that have been used and will match the rest ofthe command against the application definition. If Defendpoint matches against a rule that allows execution, thesudo command runs with any supported switches that were used. Any switches that are not supported byDefendpoint are ignored.

If Defendpoint matches on a passive rule or doesn't match any rules, then the sudo command runs with anysupported or unsupported switches that have been used.

The -l --list switch, which lists the commands that the user is allowed to run, does not take into account thecommands that are restricted by Defendpoint.


Edit -e Switch

The -e --edit switch, also known as sudoedit, allows the user to edit one or more files using their preferred texteditor. The text editor is defined by setting the SUDO_EDIT, VISUAL or EDITOR environment variable in theirTerminal session. Otherwise, the default editor, Vim, is used. To configure your policy to support the -e switch, youneed to set up a sudo command application rule so that:

l The File or Folder Name definition is set to 'sudoedit' with thePerform Match Using set to 'Exact Match'l TheCommand Line Arguments definition is set to the path of the file(s) that you want to control using thisrule

For example, the application definition shown in the following screenshot supports the sudo command sudo -e/etc/hosts .

The audit log will show an application of /usr/bin/sudo and the command line arguments will have -eprepended to them.

6.2.12 - Inserting a System Preference PaneMatching criteria is case sensitive.

1. Select the application group you want to add the system preference pane to.2. Right-click and select Insert Application > Bundle.3. Enter an Auth Request URI or click Template to choose a template.4. Enter a description or accept the default and click Next. You can leave theDescription blank tomatch on

all bundles.5. You need to configure thematching criteria for the system preference pane. You can configure:

l File or Folder Name matches detailed on page 100l File Hash (SHA-1 Fingerprint) detailed on page 100l Source detailed on page 103l File Version matches detailed on page 101


l Application Requests Authorization detailed on page 98l Publisher matches detailed on page 102

6. Click Finish. The System Preference Pane is added to the application group.

6.2.13 - Inserting Applications from TemplatesApplication templates provide a simple way to pick from a list of known applications. A standard set of templatesare provided that cover basic administrative tasks.

There are two ways you can insert applications into Application Groups. If you want to insert multiple applicationsfrom the Avecto templates you need to add the applications from the templatemenu, seeUse the Add Apps toTemplate Menu detailed below for more information.

Use the Add Apps to Template Menu1. Select the application group you want to add the application to.2. Right-click and select Insert Application > Application Template. Choose one or more applications to

add to the application group. You can select multiple rows using standardWindows functionality.3. Click Insert to add the applications.

6.3 - MessagesYou can define any number of end user messages and notifications. Messages and notifications are displayedwhen a user’s action triggers a rule (application / on-demand or content rule). Rules can be triggered by anapplication launch or block or when content is modified.

Messages provide an effective way of alerting the user before an action is performed. For example, beforeelevating an application or allowing content to bemodified, or advising that an application launch or contentmodification has been blocked.

Messages give the user information about the application or content, the action taken, and can be used to requestinformation from the user. Messages also allow authorization and authentication controls to be enforced beforeaccess to an application is granted.

Messages are customizable with visual styles, corporate branding and display text, so you are offered a familiarand contextual experience. Messages are assigned to application rules. A message will display different propertiesdepending on which of these targets it is assigned to. To view the differences aPreview option allows you to togglebetween theApplication Preview and theContent Preview. This is available from thePreview drop-downmenulocated in the top-right corner of the details pane.

Once defined, amessagemay be assigned to an individual rule in theWorkstyles Rules tab by editing the rule.Depending on the type of workstyle you’ve created, Defendpoint may auto-generate certain messages for you touse.

6.3.1 - Creating MessagesTo create a message:

1. Select theMessages node in the relevant workstyle. The right-hand pane displays theAll Messages page.2. Right-click and click New Message.


3. Select amessage template from the first drop down. You can choose from:l Allow Message (Audit)l Allow Message (enter Reason)l Allow Message (with Authentication)l Allow Message (with Challenge)l Auth Request Replacement Messagel Block Messagel Request Message (enter Reason)

4. You can change the other options if required to customize it to your business.5. If you select the check box Show the details of the application being executed the Program Name,

Program Publisher and Program Path names and variables are hidden from the preview and themessagethat is displayed on the endpoint.

6. Click OK to finish creating your message.

A new message will be created. Youmay now further refine themessage by selecting it and editing theDesign andthe Text options available beneath eachmessage.

6.3.2 - Message Name and DescriptionYou can change the name and description of amessage by right-clicking on themessage and selectingRename orProperties respectively.

6.3.3 - Message DesignYou can configure the following aspects of amessage:

l Message Header Settings detailed belowl User Reason Settings detailed on page 113l User Authorization detailed on page 113l Sudo User Authorization detailed on page 113l Challenge / Response Authorization detailed on page 113

As you change themessage options, the preview message updates to show you your changes in real-time.Program and content information is shownwith placeholders.

Once you have configured themessage options you can configure theMessage Text detailed on page 115, whichincludes the ability to configure different languages.

The options here are pre-selected based on the type of message that you created but you can override thoseoptions if required.

Message Header SettingsThemessage header is highlighted here:


Header Style

This is preconfigured, you can choose to remove the header entirely or select from one of the templates provided.

Choose from:l NoHeaderl Defendpoint Headerl Warning Headerl Question Headerl Error Header

Show Title Text

This check box is selected by default. You can clear it to remove the text adjacent to the icon if required.

Text Color

This controls the color of the text adjacent to the icon. To change the color of the text, click theCustom option andselect the color you require.

Background Type

This option controls the color behind the text and icon. If you select Solid then only Color 1 is available for you tochange. If you select Gradient then both Color 1 and Color 2 can be configured. If you select Custom Image thenyou can't configure the colors as you will upload a custom image in the next section.

Custom Image

This section allows you to choose from one of a number of pre-set custom images or you can click Manage Imageto upload one of your own. The recommended image size is 450 pixels wide and 50 pixels high.

Color 1

This option is available if you selectedSolid for the Background Type. Select Custom and choose the color youwant for the background.


Color 2

This option is available if you selectedGradient for the Background Type. Select Custom and choose the secondcolor you want for the background. Color 1 is the first colour for Gradient backgrounds.

User Reason SettingsThis option determines whether to prompt the end user to enter a reason before an application launches (AllowExecutionmessage type) or to request a blocked application (Block Executionmessage type).

You can choose to have a text box below themessage to allow the end user to enter a reason. This is alreadyselected for you for the Reason Requiredmessage but you can override it here if required. Choose from Off or Textbox in theShow User Reason Prompt drop-down. The pre-defined drop-down entries can be configured on theMessage Text tab.

User AuthorizationYou can use theAuthorization Type drop-down to choose from 'None', 'User must authorize' or 'Designated usermust authorize'. An additional Username and Password field is added to themessage for 'User must authorize' or'Designated user must authorize'. You can use User must authorize to force the user to re-enter their credentialsand check that they really do want to run the application.

If you select amethod that is not available to the user, then the user will be unable to authorize themessage.

The AuthenticationMethod drop-downwill show 'Password only' if you selected User must authorize orDesignated user must authorize. This cannot be changed as it's the only method of authentication supported formacOS.

If you selected Designated user must authorize you need to click Edit Users to designate which users canauthorize themessage.

Sudo User AuthorizationYou can use theDon't ask for password if already entered drop-down to control how frequently the user has toenter a password to use the sudo command. This text option is only enabled if theUser Authorization detailedabove has been set to 'User must authorize' or 'Designated user must authorize'. The available options are:

l Ask every timel Less than 1minute agol Less than 5minutes agol Less than 15minutes agol Only ask once per session

Challenge / Response AuthorizationYou can select theEnabled check box for Challenge / Response Authorization to add a challenge code to themessage. This check box is already selected if you selected a Challengemessage. If you have already created aworkstyle with a challengemessage in then the policy will already have a challenge / response key. SelectChange Key and enter a new challenge / response code twice to change it.

Enabled – Set this option toYes to present the user with a challenge code. In order for the user to proceed, theymust enter amatching response code. Note that when this option is enabled for the first time, you will be requested


to enter a shared key. For more information, seeChallenge / Response Authorization detailed on page 117. Youcan click Edit Key to change the shared key for this message.

After the third failure to enter a valid response code, themessage will be canceled and the challenge codewill be rejected. The next time the user attempts to run the application, they will be presented with a newchallenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.

Image ManagerThe ImageManager associated with message creation allows you toAdd,Modify, Export andDelete images thatare referenced inmessage headers.

All images are stored inside the workstyles as compressed and encoded images.

It is strongly recommended that you delete any unused images tominimize the size of the policies, as Defendpointdoes not automatically delete unreferenced images.

The Image Manager is accessible from theMessage Design tab. Click theManage Images button next to theCustom Image drop-downmenu.

To upload an image:1. Click Upload Image. The Import Image status dialog box appears. Click Choose file and browse to the

location of the file.2. Select the image and enter an Image Description. Click OK.3. The image will be uploaded into ImageManager.

Images must be *.png format and be sized between 450x50


To edit an image:1. In theCustom Image field selectManage Images.2. Select the image in the list and click Edit.3. The Image Properties dialog box appears.4. Alter the description and click OK.

To delete an image:1. Select the image in the list and click Delete.2. When prompted, click Yes to delete the image.

If an image is referenced by any messages then you will not be allowed to delete it.

6.3.4 - Message Textl General detailed belowl Publisher detailed belowl User Reason detailed belowl User Authentication detailed belowl Challenge / Response Authorization detailed on the next pagel Buttons detailed on the next page

After you havemade a change to themessage text, click Update to see your changes applied to the previewmessage.

Mac does not support multiple languages.

GeneralHeader Message controls the text to the right of the icon in the header if it's shown.

Body Message controls the text at the top of themainmessage.

PublisherVerification Failure controls the text that is displayed in the next to the Publisher if the publisher verification fails.

Defendpoint verifies the publisher by checking that there is a publisher and also checking that the certificateassociated with that publisher is signed. Defendpoint does not check to see if the certificate has been revoked dueto the length of the lookup process that would rely on network connectivity. Instead, Privilege Guard relies on theCertificate Store to be kept up to date with revoked certificates, which would be a standard operation as the fullchain should be in the local certificate store.

User ReasonReason controls the text above the field where the end user can enter their reason.

Reason Error Message controls the text that is displayed if the end user clicks Yes and doesn't enter a reason.

User AuthenticationUser name controls the text adjacent to the field where the user would enter their user name.

Password controls the text adjacent to the field where the user would enter their password.


Unauthorized credentials controls the text that is displayed if the end user enters credentials that aren't valid forthe requested operation.

Challenge / Response AuthorizationHeader text controls the text that introduces the challenge / response authorization.

Hint text controls the text that is in the response code field for challenge / responsemessages.

Information Tip Text controls the text above the challenge and response code fields.

Error Message Text controls the text that is displayed to the end user if they enter an incorrect response code andclick Yes.

ButtonsOK Button controls the text that is displayed on the button that appears on the bottom right.

Cancel Button controls the text that is displayed on the button that appears next to theYes button.

Depending on themessage options themessage box will have either one or two buttons:

l For a prompt themessage box will haveOK andCancel buttons.l For a blockingmessage withAllow user to email an application request enabled themessage box willhaveOK andCancel buttons. It is highly recommended you change theOK button text to be “Email”,unless youmake it clear in themessage text that theOK button will send an email request.

l For a blockingmessage withAllow user to email an application request disabled themessage box willonly have anOK button.

You can change theOK Button andCancel Button text. For instance, you can change it to “Yes” and “No” if youare asking the end user a question.

Buttonsl OK Buttonl Cancel Button

Challenge Response Designated User OptionChallenge / Response provides an additional level of control for access to applications and privileges.

An extra aspect of this feature is Designated User authorization. When this option is enabled a designated usersuch as a system administrator can authorize the elevation in place of (or in addition to) a Challenge Responsecode.

Input OutcomeValid Challenge / Response code only isprovided


Valid Challenge / Response code is providedand valid (but not required) credentials areprovided


Invalid Challenge / Response code is providedbut valid credentials are provided



Input OutcomeNoChallenge / Response code is provided butvalid credentials are provided


For more information on Designated User settings see the Authorization Settings section of Challenge /Response Authorization detailed below.

Challenge / Response AuthorizationChallenge / Response authorization provides an additional level of control for access to applications and privileges,by presenting users with a 'challenge' code in an end-user message. In order for the user to progress, they mustenter a corresponding 'response' code into themessage.

Any policy that has amessage in with challenge / response needs a shared key. This key is defined when you setup the first challenge / responsemessage in your policy although you can change it later if required. If you create aworkstyle containing a challenge / responsemessage or you create a new challenge / responsemessage and youare not prompted to create a shared key then there is already a shared key for the policy. You cannot view thisshared key, however you can change it here if required.

Challenge / Response authorization is configured as part of an the end-user messages, and can be used incombination with any other authorization and authentication features of Defendpoint messaging.

Users will be presented with a different, unique challenge code each time a challenge / responsemessage isdisplayed.

Challenge and response codes are presented as an 8 digit number, to minimize the possibility of incorrect entry.When a user is presented with a challenge code, themessagemay be canceled without invalidating the code. If theuser runs the same application, they will be presented with the same challenge code. This allows users to requesta response code from IT helpdesks whomay not be immediately available to provide a response.

For more information on configuring challenge / response authorization enabled end user messages, seeMessageDesign detailed on page 111.

There are twomain configuration options available for how challenge codes are presented to users:

l Authorization Period (per-application) – For each application, challenge codes can be optionallypresented to a user forOne Use Only, Entire Session, Forever orAs defined by helpdesk, dependingon the level of control and flexibility you want to apply to the user and application.

l Maximum Attempts – This option determines how many attempts the user has to enter a successfulresponse code for each new challenge. There are two options available, Unlimitedwhich will allow the userto try entering the response code an unlimited number of times, or Three Attemptswhich will only allow amaximum of three attempts to enter a correct response code before themessage is cancelled and thechallenge code is invalidated.

If a challenge code is invalidated due to excessive failed attempts, the user will be presented with a newchallenge code the next time they attempt to run the application. Failed attempts are remembered even if theuser clicks Cancel between attempts

It is recommended that Three Attempts is enabled to prevent the user from attempting to guess responsecodes through brute force retries.


Formore information on configuring challenge / response authorization enabled end user messages, seeMessageDesign detailed on page 111.

Shared Key

The first time you create a Defendpoint end user message with a challenge you are asked to create a shared key.The shared key is used by the Defendpoint Client to generate challenge codes at the endpoint.

Once you have entered a shared key, it will be applied to all end user messages that have challenge / responseauthorization enabled in the sameDefendpoint Settings.

To change the shared key:1. Right-click theMessages node of a workstyle and select Set Challenge / Response Shared Key.2. In theChallenge / Response Shared Key dialog box, edit theEnter Key andConfirm Keywith the new

Shared Key.3. Click OK to complete. If the key entered is not exact, you will be presented with a warningmessage.

We recommend that your shared key is at least 15 characters and includes a combination of alphanumeric,symbolic, upper, and lowercase characters. As a best practice, the shared key should be changedperiodically.

Generating a Response Code

There are two ways to generate a response code. You can either use the PGChallengeResponseUI.exe utilitythat is installed as part of the Defendpoint Policy Editor or you can generate them directly within theMMC.

In order to generate a response code youmust have set a Challenge / Response Shared key. You areprompted to do this when you create any policy that has a Challenge / Responsemessage assigned to it.Alternatively you can set the Challenge / Response Shared Key from the home page of the DefendpointSettings node by clickingSet Challenge / Response Shared Key.

You can generate a response code from the Defendpoint Management Console. This launches a tool calledPGChallengeResponseUI.exe. This tool is part of your installation and can be used independently of theDefendpoint Management Console. The tool is installed to this path:

<Installation Dir>\Avecto\Privilege Guard Management Consoles\

To generate a response code in the Defendpoint Management Console:1. Click the Defendpoint Settings node and then Tools on the right-hand side.2. Click Response Code Generator.3. Enter the shared key you have defined, and the challenge code from the end-user.4. The response code is generated once both theShared Key and the 8 character challenge code have been

entered.

The response value can then be sent to the end user to enter into their challenge dialog.


Chapter 7 - Deploying Defendpoint PolicyThere are several ways to deploy a Defendpoint policy to your endpoints. This section discusses the various waysthat this can be achieved.

7.1 - Group Policy Management7.1.1 - Creating Defendpoint SettingsDefendpoint is implemented as an extension to Group Policy, enabling policy settings to bemanaged through thestandard Group Policy management tools. Defendpoint also supports AGPM (AdvancedGroup PolicyManagement ) from versions 2.5 to 4.0.

GPOs (Group Policy Objects ) are usually managed through theGPMC (Group Policy Management Console ).GPMC is a scriptable MMC (Microsoft Management Console) snap-in, providing a single administrative tool formanaging Group Policy across the enterprise. GPMC is the standard tool for managing Group Policy.

Defendpoint also supports Local Computer Policy, which can be edited in the Group Policy Editor, but this is onlyrecommended for small environments or for test purposes.

Youmay add Defendpoint Settings to existing GPOs or create new GPOs for this purpose.


To edit a GPO from the GPMC:1. Launch theGPMC (gpmc.msc).2. In the GPMC tree, double-click Group Policy Objects in the forest and domain containing the GPO that

you want to edit.3. Right-click the GPO and click Edit.

TheGroup Policy Management Editor appears. Defendpoint Settings are available in both theComputerConfiguration andUser Configuration nodes, which allow you to set either computer or user settingsrespectively. Computer settings are updated when a computer starts up, whereas user settings are updated whena user logs on. In addition, a background refresh occurs every 90minutes by default, which will update settingswhile the user is logged on.

Once a client has updated its Defendpoint Settings throughGroup Policy then the settings are applied dynamically.Any logged on users do not need to log off for the changes to take effect.

Defendpoint Settings will either appear directly under theComputer Configuration andUserConfiguration nodes, or under thePolicies sub-node, if it exists.

To create Defendpoint settings for a GPO:1. In the Group Policy Management Editor select theDefendpoint Settings node for either theComputer

Configuration orUser Configuration section, as appropriate.2. On theGroup Policy Management EditorActionmenu, click Create Defendpoint Settings.3. Right-click theWorkstyles node and select Create Workstyle. Choose a controlling or a blank workstyle.

Click Finish to create a workstyle based on your selection.

For information about workstyles, please seeWorkstyles detailed on page 34.


7.1.2 - Defendpoint Settings ScopeWhen deploying Defendpoint settings with Active Directory Group Policy there are two factors to consider; themanagement scope of the GPO you have selected and the user or group accounts listed on the account filtersection of a Defendpoint workstyle.

When you create a new Defendpoint workstyle you are given the option of applying a filter that will either targetStandard users only orEveryone, including administrators.

Subsequently, you can further refine a sub-set of users that the workstyle will target by adding account filters.These are defined on the Filters tab of a workstyle where you add groups and users (either domain or local) to thefilter. Do not leave the account filters empty or the workstyle will still apply to everyone.

Multiple account filters can be added to a workstyle, if you need add ‘AND’ logic to your filtering. For example, ifyou want to target a user who is amember of ‘GroupA’ AND ‘GroupB’, then add two account filters to an accountfilter, and select the box All items below must match.

You can also use computer filters to apply the workstyle to specific computers and connecting client devices.These can be used in combination with account filters to providemore specific targeting of user / computercombinations if required.

See Filters detailed on page 48 for more information.

7.1.3 - GPO Precedence and Inheritance RulesDefendpoint Settings are associated with an Active Directory GPO and are distributed to all the computers andusers under themanagement scope of the GPO. As a result Defendpoint Settings are subject to the sameGroupPolicy processing and precedence rules as standard Active Directory GPOs.

7.1.4 - Order of ProcessingGroup Policy settings are processed in the following order:

1. Local Group Policy Object – Each computer has exactly oneGPO that is stored locally. This applies toboth computer and user Group Policy processing.

2. Site – Any GPOs that have been linked to the site that the computer belongs to are processed next.Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tabfor the site in GPMC. TheGPOwith the lowest link order is processed last, and therefore has the highestprecedence.

3. Domain – Processing of multiple domain-linkedGPOs is in the order specified by the administrator, on theLinked Group Policy Objects tab for the domain in GPMC. TheGPOwith the lowest link order isprocessed last, and therefore has the highest precedence.

4. Organizational Units –GPOs that are linked to the organizational unit that is highest in the ActiveDirectory hierarchy are processed first, thenGPOs that are linked to its child organizational unit, and so on.Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or noGPOs can be linked. Ifseveral GPOs are linked to an organizational unit, their processing is in the order that is specified by theadministrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. TheGPOwith thelowest link order is processed last, and therefore has the highest precedence.


This order means that the local GPO is processed first, andGPOs that are linked to the organizational unit of whichthe computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if thereare conflicts.

Defendpoint merges settings so that settings with a higher precedence will be processed first. Once an applicationmatches a Defendpoint workstyle, no further workstyles will be processed for that application, so it is important tokeep this in mind whenmultiple GPOs are applied.

7.1.5 - Exceptions to Default Order of ProcessingThe default order for processing settings is subject to the following exceptions:

l A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.l A GPOmay have its user settings disabled, its computer settings disabled, or all settings disabled. Bydefault, neither user settings nor computer settings are disabled on aGPO.

l An organizational unit or a domainmay have aBlock Inheritance set. By default, Block Inheritance is notset.

For information about the abovemodifications to default behavior, seeManaging inheritance of Group Policy.

A computer that is amember of a workgroup processes only the local GPO.

7.1.6 - Defendpoint Settings Storage and BackupDefendpoint stores its settings within Active Directory’s SYSVOL folder, within the storage area for the relevantGPOs, which are identified by their GUIDs. The settings are stored in an XML file and Active Directory is then usedas the distributionmechanism.

Defendpoint Settings can be backed up by one of the followingmethods:

1. Defendpoint Settings files will be backed up as part of a standard ‘System State’ backup, whichorganizations should be performing as part of their standard backup routines.

2. Perform amanual backup of a GPO from with the GPMC, which will back up theGPO settings andDefendpoint’s XML files.

3. In addition, Defendpoint Settings may bemanually exported and saved to a location of your choice. Formore information on how to perform an export/import of policies seeExport detailed on page 21.

7.1.7 - Disconnected UsersDisconnected users are fully supported by Defendpoint. When receiving its settings from aGPO, Defendpointautomatically caches all the information required to work offline, so the settings will still be applied if the client isnot connected to the corporate network. Of course, any changes made to the policy will not propagate to thedisconnected computer until it reconnects to the domain and receives aGroup Policy refresh. This behavior isidentical to most of the standardMicrosoft Group Policy settings.

Defendpoint also supports a completely standalone configurationmode, where the settings are configured via aLocal Group Policy for that machine, or deployed in a standalone XML configuration file. Again, these settingscontain all of the information required to apply these policies offline.


https://www.microsoft.com/en-US/download/details.aspx?id=53314

7.2 - Standalone ManagementAlthough Defendpoint is implemented as aGroup Policy extension, it also supports a standalonemode, which isindependent of Group Policy.

Standalonemode allows you to deploy the Defendpoint Settings with an XML file. You will need to employ asuitable deployment mechanism to distribute the XML file to your client computers.

To run the Defendpoint Policy Editor in standalonemode:

1. Launchmmc.exe.2. Select Add/Remove Snap-in from the Filemenu.3. Select Defendpoint Settings from the available snap-ins and click Add.4. Click OK.

The Defendpoint Policy Editor is now running in standalonemode and is not connected to a Group Policy Object(GPO).

OnWindows 7 onwards, the Defendpoint Settings will be saved to the following local XML file:

%ALLUSERSPROFILE%\Avecto\Privilege Guard\PrivilegeGuardConfig.xml

If you installed the Defendpoint Client when you installed the Defendpoint Policy Editor then the client willautomatically apply the policies in this XML file. For this reason, it is strongly recommended that you do not installthe client if you will be using the policy editor in standalonemode, unless you want the settings to be applied to yourmanagement computer. This may be case if you are evaluating Defendpoint .

The Defendpoint settings are edited in the sameway as when editing GPO based policies. To distribute the XMLfile to multiple clients you will need to export the policies to an XML file and then deploy it to the location specifiedabove. The Defendpoint Client monitors this directory and will automatically load the XML file.

Youmust name the settings file PrivilegeGuardConfig.xml once it is deployed, otherwise the Defendpoint Clientwill not load the settings. If youmake changes to the Defendpoint settings, redeploy themodified XML file and theDefendpoint Client will automatically reload the settings.

7.3 - PowerShell ManagementThe Avecto Defendpoint PowerShell API enables administrators to configure Defendpoint using PowerShellscripts. This enables integrations with external systems, and provides an alternative to using the Avectomanagement consoles.

Through the PowerShell API, you can create andmodify any Defendpoint configuration within Domain GroupPolicy, Local Group Policy, or any local configuration. The PowerShell API is available on any computer where theDefendpoint Policy Editor or Defendpoint Client is installed.

For information on scripting Defendpoint configurations, refer to theAvecto Defendpoint PowerShell APIdocument and the accompanying help filePowerShell API.chm. Both of these documents are installed with theDefendpoint Policy Editor, underC:\Program Files\Avecto\Privilege GuardManagement Consoles\PowerShell\.


7.3.1 - Windows PowerShell Execution PolicyThe PowerShell cmdlet Set-ExecutionPolicymust be set toAllSigned before running any Defendpointcmdlets/scripts.

The default PowerShell execution policy is Restrictedwhich stops any scripts running. Setting the executionpolicy toAllSigned enables scripts to be run as long as they are signed, as Defendpoint scripts are.

l AllSigned – Requires that all scripts and configuration files be signed by a trusted publisher, includingscripts that you write on the local computer.Set-ExecutionPolicy AllSigned

This article shows how to configure the setting using Group Policy: http://technet.microsoft.com/en-us/library/hh849812.aspx

7.3.2 - Executing PowerShell ConfigurationsPowerShell scripts and commands which use theGet-DefendpointSettings, Set-DefendpointSettings andGet-DefendpointFileInformation cmdlets must be executed with admin rights on the target computer. If you areelevating scripts and commands via the Defendpoint Remote PowerShell Management feature, youmust ensurethat anAdd Administrator Rights Custom Token has been assigned which includes the followingGroupssettings:

l Enable anti-tamper protection check box as been cleared.l Make sure the users is always the token owner check box has been selected.

When using PowerShell Management to apply changes to Defendpoint configurations stored in Active DirectoryGroup Policy, you will require domain level write access to the Group Policy Object.

Configurations created and edited via PowerShell are not backwards compatible with older Defendpoint /Privilege Guard Clients, so we recommend that only configurations targeting version 4.0 Clients aremanaged through PowerShell scripting.

7.4 - Webserver Management7.4.1 - Deploying Workstyles via Web ServicesFor instances where Active Directory Group Policy is not suitable, such as for clients outside of the corporatenetwork, Defendpoint configurations may be hosted on a webserver via HTTP or HTTPS. The Defendpoint Clientcan be configured to download configurations on a schedule.

Webserver configurations should be implemented as a complement to other configuration deploymentmethods. Workstyle precedence can be customized so that webserver configurations are evaluated with thecorrect priority. SeeWorkstyle Precedence detailed on page 37 for more information.

To create an XML configuration for deployment from awebserver, seeExport detailed on page 21 and Importdetailed on page 21. Defendpoint Clients may be configured to pull an XML configuration from awebserver duringthe installation of the Client MSI or EXE, or for existing installations, can be configured via theWindows Registry.


7.4.2 - Webserver Enabled Client InstallationTo install the Defendpoint Client with webserver configurations enabled, there are several command linearguments which can be used to configure the following settings:

Argument DescriptionWEBSERVERMODE= Enables webserver functionality (Required, 1 = Enabled)

WSP_URL= Specifies the full URL (including XML filename) to the webserverconfiguration (required)

WSP_INTERVAL= Refresh interval for new configuration check in minutes (optional,default 90minutes)

WSP_LOGON= Check for new configuration at user logon (optional, default 1 =Enabled)

WSP_CERT= The CommonName for a webserver certificate. When added, restrictswebserver downloads only if the common namematches thewebserver certificate, and the certificate is valid.

DOWNLOADAUDITMODE= Specifies the level of auditing for attempts to download webserverconfigurations; 0 = No auditing, 1 = Failures only, 2 = Successes only,3 = audit both (default)

POLICYENABLED= Specifies the policy deployment methods which are enabled. Add thisvalue to allow a webserver policy to be used by the Defendpoint Client:WEBSERVER. SeeDeployment Methods detailed on page 127 formore information.

Example:

Msiexec.exe /i DefendpointClient_x86.msi /qn /norestart WEBSERVERMODE=1 WSP_URL=”http://MyWebServer.Internal/WebConfig.xml” WSP_INTERVAL=90POLICYPRECEDENCE=”WEBSERVER,GPO,LOCAL”

DefendpointClient_x86.exe /s /v” WEBSERVERMODE=1 WSP_URL=\”http://MyWebServer.Internal/WebConfig.xml\” WSP_INTERVAL=90POLICYPRECEDENCE=\”WEBSERVER,GPO,LOCAL\””


7.4.3 - Enabling Webserver Policy Download via the RegistryAt any time after the Defendpoint Client has been installed, webserver configurationmay be set via theWindowsregistry. The following registry entries are valid:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client\

Value Data DataWebServerPolicyUrl REG_SZ Specifies the full URL (including xml filename) to the

webserver configuration (Required)WebServerPolicyRefreshIntervalMins DWORD Refresh interval for new configuration check in minutes

(Optional, default 90minutes)

WebServerPolicyRefreshAtUserLogon DWORD Check for new configuration at user logon (Optional, default1 = Enabled)

WebServerCertificateDisplayName REG_SZ The CommonName for a webserver certificate. Whenadded, restricts webserver downloads only if the commonnamematches the webserver certificate, and the certificateis valid.

DownloadAuditMode DWORD Specifies the level of auditing for attempts to downloadwebserver configurations (0 = No auditing, 1 = Failuresonly, 2 = Successes only, 3 = audit both (default))

PolicyEnabled REG_SZ Specifies the policy deployment methods which areenabled. Add this value allow a webserver policy to be usedby the Defendpoint Client: WEBSERVER SeeDeployment Methods detailed on the next page for moreinformation.

7.5 - Configuration PrecedenceDefendpoint supports a variety of deployment methods, and can accept multiple simultaneous configurations fromany combination of the following:

l Group Policy – Configurations that are stored in Group Policy Objects, configured via GPMC (ActiveDirectory Group Policy) andGPEdit (Local Group Policy). Group Policy based configurations are evaluatedaccording to GPO precedence rules.

l Local Policy – A standalone configuration, which is stored locally, configured via MMC.l Webserver Policy – A configuration located on a web server, accessible via HTTP(s) or FTP.l McAfee ePO Policy – A configuration that is stored within McAfee ePO, configured via the ePO policycatalog.

Defendpoint uses a logical precedence to evaluate each configuration for matching rules. By default the client willapply the following precedence:

ePO Policy > Webserver Policy > Group Policy > Local Policy

Configuration precedence settings can be configured either as part of the client installation, or via theWindowsRegistry once the client has been installed.


Tomodify configuration precedence at client installation, use one of the following command lines to install theDefendpoint Client with a specific configuration precedence:

msiexec /i DefendpointClient_x(XX).msi POLICYPRECEDENCE="EPO,WEBSERVER,GPO,LOCAL"

DefendpointClient_x(XX).exe /s /v“ POLICYPRECEDENCE=\"EPO,WEBSERVER,GPO,LOCAL\""

Where (XX) represents 86 or 64 in relation to the 32-bit or 64-bit installation respectively.

Tomodify configuration precedence via the Registry, run Regedit.exe with elevated privileges (ensuring you areusing a Defendpoint token with anti-tamper disabled) and navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client

REG_SZ PolicyPrecedence = "EPO,WEBSERVER,GPO,LOCAL"

7.6 - Deployment MethodsCertain types of deployment methodmay be enabled or disabled. By default, all deployment types are enabled. Toinclude or exclude amethod of deployment from evaluation, edit the entries in the registry value below. If this keydoes not already exist, then the default behavior is to include all methods:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client

REG_SZ PolicyEnabled = "EPO,WEBSERVER,GPO,LOCAL"

Where "EPO,WEBSERVER,GPO,LOCAL" are the available deployment methods.

Registry settings may be deployed via theAdvanced Agent Settings feature. For more information, seeAdvanced Agent Settings detailed on page 33. In order to apply a configuration deployment method viaAdvanced Agent Settings, the settingmust be applied to a type of configuration that is already part of theconfiguration precedence order. For more information, seeConfiguration Precedence detailed on theprevious page.

7.7 - Mac DeploymentDefendpoint settings can be exported from theMMC as a standalone XML configuration file, which can bedistributed to OS X andmacOS endpoints using your own deployment strategy.

To export the Defendpoint Settings to an XML file:1. Select the Defendpoint Settings node.2. Right-click and select Export.3. Select an appropriate destination for the exported XML file, ensuring the file is named local.xml.

7.7.1 - Adding Defendpoint Settings to a Mac Client computerDefendpoint Settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XMLfile from theMMC. To prevent any invalid permissions being applied, it is recommended that this file is replacedusing the following command. In this example, the source XML file is located on your Desktop:


sudo cp /Desktop/local.xml /etc/defendpoint/local.xml

The Defendpoint client will apply the new settings immediately, and does not require any restart.

Do not delete the local.xml file as this will interfere with the client machine’s ability to enforce policy. If thelocal.xml file is deleted from a client machine, replace the file and restart themachine.


Chapter 8 - Auditing and ReportingThe Defendpoint McAfee ePO Integration Pack includes a set of rich preconfigured dashboards, built in ePOQueries and Reports, which summarize Defendpoint event data collected fromMcAfee ePOmanaged computers.

Avecto also provide an enterprise level, scalable reporting solution in Defendpoint Enterprise Reporting.Defendpoint Enterprise Reporting (ER) includes a rich set of dashboards and reports designed to simplify thecentralizedmanagement and auditing of Defendpoint activity throughout the desktop and server estate. Eachdashboard provides detailed and summarized information regarding Application, User, Host andWorkstyle usage.For more information contact Avecto.

For more information on how to configure Enterprise Reporting reporting in ePO please see the ePO InstallationGuide.

8.1 - EventsThe Defendpoint Client sends events to ePO using theMcAfee Agent, and also to the local application event log,depending on the audit and privilegemonitoring settings within the Defendpoint policy.

The following events are logged by the Defendpoint Client:

l Windows Process Events detailed belowl Mac Process Events detailed on page 131

8.1.1 - Windows Process Events

Event ID Description0 Service Control Success

1 Service Error

2 ServiceWarning

100 Process has started with admin rights added to token.

101 Process has been started from the shell context menu with admin rights added to token.

103 Process has started with admin rights dropped from token.

104 Process has been started from the shell context menu with admin rights dropped fromtoken.

106 Process has started with no change to the access token (passivemode).

107 Process has been started from the shell context menu with no change to the access token(passivemode).

109 Process has started with user’s default rights enforced.

110 Process has started from the shell context menu with user’s default rights enforced.

112 Process requires elevated rights to run.

113 Process has started with custom token applied.

114 Process has started from the shell context menu with user’s custom token applied.

116 Process execution was blocked.


Event ID Description118 Process started in the context of the authorizing user

119 Process started from the shell menu in the context of the authorizing user

120 Process execution was canceled by the user

150 Defendpoint handled service control start action.

151 Defendpoint handled service control stop action.

152 Defendpoint handled service control pause/resume action.

153 Defendpoint handled service control configuration action.

154 Defendpoint blocked a service control start action.

155 Defendpoint blocked a service control stop action.

156 Defendpoint blocked a service control pause/resume action.

157 Defendpoint blocked a service control configuration action.

158 Defendpoint service control action run in the context of the authorizing user.

159 Defendpoint service control start action canceled.

160 Defendpoint service control stop action canceled.

161 Defendpoint service control pause/resume action canceled.

162 Defendpoint service control configuration action canceled.

198 Privileged groupmodification blocked.

199 Process execution was blocked, themaximum number of challenge / response failureswas exceeded.

Configuration Events10 License Error

200 Config Config Load Success

201 Config Config LoadWarning

202 Config Config Load Error

210 Config Config Download Success

211 Config Config Download Error

User / Computer Events300 User User Logon

400 Service Defendpoint Service Start

401 Service Defendpoint Service Stop

Content Events600 Process Content Has BeenOpened (Updated Add Admin)

601 Process Content Has Been Updated (Updated Custom)

602 Process Content Access Drop Admin (Updated Drop Admin)

603 Process Content Access Was Cancelled By The User (Updated Passive)

604 Process Content Access Was EnforcedWith Default Rights (Updated Default)


Event ID Description605 Process Content Access Was Blocked

606 Process Content Access Was Cancelled

607 Process Content Access Was Sandboxed

650 Process URL Browse

706 Process Passive Audit DLL

716 Process Block DLL

720 Process Cancel DLL Audit

Each process event contains the following information:l Command line for the processl Process ID for the process (if applicable)l Parent process ID of the processl Workstyle that appliedl Application group that contained the processl End user reason (if applicable)l Custom access token (if applicable)l File hashl Certificate (if applicable)

Each process event also contains Product properties, where applicable, but these can only be viewed in theDefendpoint Reporting Console.

8.1.2 - Mac Process Events

Event ID Description100 Process has started with admin rights added to token.

106 Process has started with no change to the access token (passivemode).

116 Process execution was blocked.

120 Process execution was canceled by the user

8.1.3 - Auditing with Custom ScriptsWhen an application is allowed, elevated or blocked, Defendpoint will log an event to the application event log torecord details of the action. If you want to record the action in a bespoke or third-party tracking system thatsupports PowerShell, VBScript or JScript based submissions, you can use the Run a Script setting within anapplication rule.

To add a new auditing script:1. Create a new or edit an existing Application Rule within a workstyle.2. In Run a Script, click on theOff value and in the drop-downmenu, selectManage Scripts to open the

Script Manager.3. In theScript Manager, click New in the left-hand tree view. A new script will be added to the tree. Click the

name ‘New Script’ once to rename the script.


4. In the right-hand script editor, enter your script code either manually, by copy/paste, or you can import ascript from file by clicking Import.

5. In theScript Language drop-downmenu, select either PowerShell, VM Script or Javascript, depending onthe code format you have entered.

PowerShell audit scripts can only be run in the System context.

6. Select a Timeout for how long the script will be allowed to execute, before it is terminated. By default, thiswill be set to Infinite.

7. Select whether the script should be executed in theSystem context or the current User context from theScript Context drop-downmenu.

8. Click OK to finish.

The new script will automatically be selected in theRun a Script setting.

If you have any existing scripts, these can be selected in the drop-downmenu.

The auditing script supports the use of parameters within the script. Parameters are expanded using the COMinterface PGScript. For example:

strUserName = PGScript.GetParameter(“[PG_USER_NAME]”)

strCommandLine = PGScript.GetParameter(“[PG_PROG_CMD_LINE]”)

strAgentVersion = PGScript.GetParameter(“[PG_AGENT_VERSION]”)

For a list of available parameters, see theWorkstyle Parameters.

Scripts created in the script editor can be reused inmultiple application rules and on-demand applicationrules. Any modification to an existing script will affect all workstyle rules that have been configured toexecute that script.


Appendix A - Appendicesl Troubleshooting detailed belowl Windows Specific detailed on page 143l Mac Specific detailed on page 137l Databases detailed on page 166

A.1 - TroubleshootingA.1.1 - Resultant Set of PolicyDefendpoint provides full support for RSoP (Resultant Set of Policy). Resultant Set of Policy is usually accessedthrough theGPMC (Group Policy Management Console).

TheGPMC supports twomodes of operation for RSoP:

l Group Policy Modelling (RSoP planningmode)l Group Policy Results (RSoP loggingmode)

RSoP can be used to establish which policy applies to a particular user or computer to aid troubleshooting. DetailedHTML reports are generated, whichmay also be exported to aid policy documentation.

Group Policy ModellingTo run aGroup Policy Modelling query (RSoP planning), perform the following steps from theGroup PolicyManagement Console (GPMC):

1. Double-click the forest in which you want to create a Group Policy Modelling query.2. Right-click Group Policy Modelling and click Group Policy Modellingwizard.3. In theGroup Policy Modellingwizard click Next and enter the appropriate information.4. After completing the wizard, click Finish.5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the

Resultant Set of Policywindow.6. Select theDefendpoint Settings node under theComputer Configuration orUser Configuration node

to view the RSoP HTML report for Defendpoint.

Defendpoint also appears in theSummary tab of theGroup Policy Modeling node. Expand theComponentStatus section of the HTML report to find out whether RSoP data has been collected for Defendpoint.

Defendpoint does not appear in theSettings tab of theGroup Policy Modeling node, as third-party Group Policyextensions are not detailed in this HTML report. Youmust use theAdvanced View, as outlined above, to viewDefendpoint workstyles for an RSoP query.

Group Policy ResultsTo run aGroup Policy Results query (RSoP logging), perform the following steps from theGPMC:

1. Double-click the forest in which you want to create a Group Policy Results query.2. Right-click Group Policy Results and click Group Policy Resultswizard.3. In theGroup Policy Resultswizard click Next and enter the appropriate information.


4. After completing the wizard, click Finish.5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the

Resultant Set of Policy window.6. Select the Defendpoint Settings node under theComputer Configuration orUser Configuration node to

view the RSoP HTML report for Defendpoint .

Defendpoint also appears in theSummary tab of theGroup Policy Results node. Expand theComponentStatus section of the HTML report to find out whether RSoP data has been collected for Defendpoint .

Defendpoint does not appear in theSettings tab of theGroup Policy Results node, as third-party Group Policyextensions are not detailed in this HTML report. Youmust use theAdvanced View, as outlined above, to viewDefendpoint workstyles for an RSoP query.

A.1.2 - Check Defendpoint is installed and functioningIf you are having problems the first step is to check that you have installed the client and that the client isfunctioning.

l Defendpoint - the graphical interface of Defendpoint on the toolbar for messages and end user interactionl defendpointd - the Defendpoint daemon that manages interaction with Defendpointl dppolicyserverd - manages policy and communicates with defendpointdl Custodian - manages authentication as required by Defendpoint

The easiest way to determine that the client is installed and functioning is to check for the existence of theAvectoDefendpoint Service in the Services Management Console. Ensure that this service is both present andstarted. The Defendpoint service is installed by the Defendpoint Client and should start automatically.

The Defendpoint service requires MSXML6 in order to load the Defendpoint settings, but the service will stillrun even if MSXML6 is not present.

Windows 7 andWindows Server 2008 R2 already includeMSXML6.

A.1.3 - Check Settings are DeployedAssuming the Defendpoint Client is installed and functioning, the next step is to check that you have deployedsettings to the computer or user.

You can use RSoP loggingmode to determine whether the computer has received settings. Assuming the RSoPquery shows that Defendpoint Settings have been applied, you should check the contents of the settings (includinglicensing and workstyle precedence).

A.1.4 - Check that Defendpoint is LicensedOne of themost common reasons for Defendpoint not functioning is the omission of a valid license from theDefendpoint Settings.If you are creatingmultiple GPOs, then youmust ensure that the computer or user receivesat least oneGPO that contains a valid license. To avoid problems, it is simpler to add a valid license to every set ofDefendpoint Settings that you create.

A.1.5 - Check Workstyle PrecedenceAssuming that Defendpoint is functioning and licensed, most other problems are caused by configuration problemsor workstyle precedence problems.


Once an applicationmatches an application group entry in the application rules or the on-demand applicationrules, then processing will not continue for that application. Therefore, it is vital that you order your entriescorrectly:

l If you createmultiple workstyles then workstyles higher in the list have a higher precedence.l If you havemultiple rules in the application rules and the on-demand application rules sections of aworkstyle then entries higher in the list have a higher precedence.

Application rules are applied to applications that are launched either directly by the user or by a running process.On-demand application rules are only applied to applications that are launched from the Defendpoint shell menu(if enabled).

If you havemultiple GPOs applying to a user and/or computer then you should ensure that GPO precedence rulesare not causing the problem. If multiple GPOs are applied to a computer or user then the Defendpoint Client willmerge the computer GPOs and user GPOs by following Group Policy precedence rules. Oncemerged the userworkstyles will take precedence over the computer workstyles. In other words the computer workstyles will only beprocessed if an application does not match an entry in the user workstyles.

For this reason, it is highly recommended that you do not created over-complex rules that rely on themerging ofmany GPOs, as this can become difficult to troubleshoot. If, however, it makes sense to split rules over multipleGPOs, you shouldmake use of RSoP to ensure that workstyles are being combined correctly. Youmust alsoremember that computer and user workstyles are processed separately, with user workstyles always beingprocessed ahead of computer workstyles, if both exist.


A.2 - Avecto End User UtilitiesDefendpoint includes four end user utilities to enable users tomanage advanced network adapter settings, printersettings, and software installations, as many of these capabilities would usually be hosted in the explorer shell,making it difficult to give these tasks elevated rights. These applications can also bemanaged using COM classelevation in your Defendpoint policy.

Name of Utility Name of ExecutableAvecto Network Adapter Utility PGNetworkAdapterUtil.exe

Avecto Printer Management Utility PGPrinterUtil.exe

Avecto Programs and Features Manager PGProgramsUtil.exe

Avecto Task Manager PGTaskManager.exe

A.2.1 - Adding these Applications to your PolicyIn order to use these applications you need to add them to a policy so they can be elevated as required.

1. Create an Application Group for these applications with a name such as Avecto Utilities so you knowwhat it contains.

2. Right-click the application group and Insert Application > Application Template. The Avecto Utilities arelisted at the top of the list in alphabetical order.

3. Select one or more of the Avecto Utilities that you want to include and click Insert.4. You can now choose an existingWorkstyle or create a new Workstyle in your policy and add an Application

Rule to target the Application Group you created. This Application Rule needs to elevate the applications inthe Application Group.

Users who receive this policy can now use these Avecto utilities as required.

Avecto Network Adapter ManagerFrom this utility a user canmodify the properties of a network adapter, rename an adapter or disable an adapter. Todo this you need to use the PGNetworkAdapterUtil.exe application which can be found in the Defendpoint Clientinstallation directory (usually C:\Program Files\Avecto\Privilege Guard Client).

Avecto Printer ManagerFrom this utility a user can add and delete printers, set their default printer, access printer properties andpreferences, view the printer queue, access print server properties, and print a test page. To do this you need touse the PGPrinterUtil.exe application which can be found in the Defendpoint Client installation directory (usuallyC:\Program Files\Avecto\Privilege Guard Client).

Avecto Programs and Features ManagerFrom this utility a user can uninstall, change, and repair software that is installed on their computer. To do this youneed to use the PGProgramsUtil.exe application which can be found in the Defendpoint Client installation directory(usually C:\Program Files\Avecto\Privilege Guard Client).

By default, the PGProgramsUtil will not display Windows Updates. To enable the option to show updates (via atoggle button), use the following command line switch:

PGProgramsUtil.exe /showupdates

Avecto Task Manager


From this utility a user can view andmanage tasks that are currently running on the endpoint. To do this you needto use the PGTaskManager.exe application which can be found in the Defendpoint Client installation directory(usually C:\Program Files\Avecto\Privilege Guard Client).

A.3 - Mac SpecificA.3.1 - Mac Policy Structure and PrecedenceStructurePolicies are stored in /etc/defendpoint/. For example:

l ic3.xmll epo.xmll mdm.xmll local.xml

These policies are not case-sensitive. All policies stored in this locationmust have the following permissions toensure policy acceptance and system security:

l Ownership of _defendpoint user and group - i.e. sudo chown _defendpoint:_defendpoint<policy path>

l Permission for the _defendpoint user and group to read the policy, but not other users - i.e. sudo chmod660 <policy path>

The policy or policies that are read and loaded by the dppolicyserver are defendant on the settings under theconfig.order in the defendpoint.plist.

If all policies are deleted, the local.xml policy is regenerated.

PrecedenceThe policy precedence determined in the defenpoint.plist which is stored here /Library/ApplicationSupport/Avecto/Defendpoint/defendpoint.plist

The defendpoint.plist is appended or created with the precedence lists (as below) on start up or installation. Butediting and saving of the list is applied immediately.

<key>config.order</key><array><string>ic3</string><string>epo</string><string>mdm</string><string>local</string></array>

You can edit the defendpoint.plist file manually to change the policy precedence if required.

The dppolicyserverd will go through the policies under /etc/defendpoint/ by finding the first policy in theconfig.order, and it if it can't a policy of that name it will progress to the next in the list.


If a policy/policies is found with the correct name it will load it, irrespective of if it has a license.

A.3.2 - Multiple Mac PoliciesForMac estates beingmanaged by ePO, multiple policies being applied simultaneously is supported, for example:

l epo.xmll epo001.xmll epo002.xml

In the example above, if the policy precedence is set for ePO policies, then rules processing will first check therules in epo.xml. If no rules are found for the process in this policy then it will go through the epo001.xml. Eachpolicy is processed in an alpha-numeric/C locale order. This continues until the process hits a rule or thedppolicyserverd reads all of the policies without finding amatch.

If multiple policies are loaded, only one of them requires a Defendpoint license. We do not recommend you usemultiple licenses in this configuration. Each policy can have a different Challenge-Response key.

Copy and pasted policies with altered rules are still processed, the dppolicyserverd log outputs whether it replaceGUIDs when loading them intomemory if it was a duplicate.

A.3.3 - Mac Application TemplatesDefendpoint ships with some standard application templates to simplify the definition of applications that are part ofthe operating. The standard application templates are split into categories:

l System Preference Panesl Bundlesl Binaries

Each category then has a list of applications for that category. Picking an application will cause the application tobe pre-populated with the appropriate information.

A.3.4 - Mac Audit LoggingHow to log events to a file:

1. When Defendpoint is installed, it checks to see if the following path and file is present. If it's not, it createsit:

l /var/log/defendpoint/audit.log

2. This file cannot be edited during output. If this file is deleted, Defendpoint recreates it dynamically. If thefolder structure is deleted, Defendpoint re-creates it when the endpoint is restarted.

3. This log file can be viewed in themacOS Console for all versions from ‘/var/log’ in the side bar. You can alsoview the log output in real-time if required.


4. The log file is maintained by the coremacOS/OS X service 'newsyslog’. The 'newsyslog.conf' file containsvarious log files and associated settings and is maintained by the coremacOS. The 'newsyslog.conf' file isheld here:

/etc/newsyslog.conf

This part of the set upmust be done by a user who can write to this location.

5. In the 'newsyslog.conf' file the settings are outlined and have column headers:l logfilename, mode, count, size, when, flags

6. For the purposes of themaintenance of the 'audit.log' file, you need to populate the ‘logfilename’, ‘mode’,‘count’, ‘size’ and/or ‘when’, and ‘flags’ attributes in the 'newsyslog.conf' file.

l logfilename - Path and filenamel mode - File mode, i.e. settings for read/write for each user type (POSIX file permissions)l count - Count for amount of archived files (count starts from 0)l size - Threshold for log size in KBl when - Threshold for log size in terms of time (i.e. new log everyday at X, or every month)l flag - Instruction for processing the archived/turn-over file. This is most likely to be ‘JN’ or ‘ZN’

An example of a line in the 'newsyslog.conf' for Defendpoint would be:

/var/log/defendpoint/audit.log 644 5 1000 * JN

This indicates that:


l the filename is 'audit.log'l it can be viewed by all user types but can only be edited by the root userl it has an archive count of 5 (6 archived files, not including the current log)l it has a threshold of 1MB for turn-over/archivingl it doesn't have a date turn overl for archiving, files are to be compressed into a bzip file

The threshold relies on the 'newsyslog' service. This service is ‘low’ priority in macOS and only reads the.conf file approximately every 30mins. Using the example line above, the log can become greater than 1MBprior to the service reading the 'newsyslog.conf' file due to it being a ‘threshold’ value, rather than each log filebeing of equal size.

7. Once you have applied the 'newsyslog.conf' by adding the 'audit.log' line to it, you can run ‘sudo newsyslog-nv’ in the Terminal to see the state of the logging, when the next roll over is, and whether there are anysyntax issues.

A.3.5 - Mac Logging OptionsDefendpoint includes some advanced settings that are configured by editing a configuration file on disk. In order toedit the configuration file, you will need root privileges on the following file:

/Library/Application Support/Avecto/Defendpoint/defendpoint.plist

It is recommended that you edit the configuration file using a command line editor, such as vi:

sudo vi /Library/Application Support/Avecto/Defendpoint/defendpoint.plist

Unified LoggingUnified Logging is available in macOS 10.12 and later and supersedes Apple System Logger (ASL). Prior tomacOS 10.12 logmessages were written to specific disk locations. Unified Loggingmeans the logmessages arestored inmemory or in a data store and can viewed in the Console application and the log command line tool.

See https://developer.apple.com/documentation/os/logging for more information on Unified Logging.

To view the debug logs of a process on the endpoint:1. Open the Console app. By default, debug and infomessages are not displayed. You can select an event in

themain window to view the logs for it.2. Click Now in the top left of the tool bar, to see new messages in real time.3. Select Actions > Include Info Messages andActions > Include Debug Messages to add these to the

log.4. Using the search bar on the top-right, you can enter the name of a process that you want to filter on, for

example 'defendpointd' for Defendpoint or 'iC3Adapter' for iC3 Adapter events.5. You can further manipulate the filter from the search bar or by right-clicking on the process and selecting an

additional filter option.


https://developer.apple.com/documentation/os/logging

Obtaining Debug Logs from the Endpoint

Unified logging does not store info or debug strings on the hard disk. They are only displayed whilst the Consoleapplication is open. You need to use the log config command to create plist files for each Defendpoint daemon andchange the logging file. These plists are created in the '/Library/Preferences/Logging' directory.

1. To create plists and change the logging level for the Defendpoint daemons run the following commands inthe terminal:

sudo log config --subsystem com.avecto.defendpointd --modepersist:debugsudo log config --subsystem com.avecto.custodian --mode persist:debugsudo log config --subsystem com.avecto.dppolicyserverd --modepersist:debugsudo log config --subsystem com.avecto.Defendpoint --modepersist:debug

2. Once these commands have been run, you have two options:a. Obtain a centralized log that you can send to Avecto support. This is the recommended approach you

would ideally run the following command to collect the logs into a central log file using the followingcommand, however this logs every process on the endpoint, not just the Defendpointprocesses.

sudo log collect —-last <num><m/h/d>

You need to replace the <num> value with an integer and then append 'm' for months, 'h' for hours or'm' for minutes depending on how long it took to replicate the issue. This will produce a .logarchive filein the current user's directory.

b. Alternatively, you can create a log for each Defendpoint daemon by using the following commands.This process outputs .log files in the user's home directory that can be edited or moved as required.As this information is split across multiple log files it is not the recommended approach, however itcan be used when the first approach is not viable.

log show --predicate 'subsystem == "com.avecto.custodian"' --stylejson --debug --last 1h > ~/Documents/Custodian.logarchivelog show --predicate 'subsystem == "com.avecto.defendpointd"' --stylejson --debug --last 1h > ~/Documents/defendpointd.logarchivelog show --predicate 'subsystem == "com.avecto.dppolicyserverd"' --style json --debug --last 1h > ~/Documents/dppolicyserverd.logarchivelog show --predicate 'subsystem == "com.avecto.Defendpoint"' --stylejson --debug --last 1h > ~/Documents/Defendpoint.logarchive

We strongly advise that you delete the .plists after use and to disable debug level of logging persistence,especially on an SSD.

Apple System LoggerApple System Logger (ASL) is available onOS X 10.11 and was superseded by Unified logging, seeUnifiedLogging detailed on the previous page for more information. All logging for the Apple client is done throughconsole.app.


To use ASL for the iC3Mac Adapter you need to register the Defendpoint debug logs. Exectute the followingcommand:

sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/configure/installdbglogs.sh

Only the ePOAdapater uses ASL. By default, the debug logging level is set to 6 in the defendpoint.plistconfiguration file. This provides a basic level of debug logging.

To enable full debug logging, edit the following section in the defendpoint.plist configuration file to set the debuglogging level to 7:

<key>LogLevel</key><integer>7</integer>

To unregister the Defendpoint debug logs, execute the following command:

sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/configure/uninstalldbglogs.sh

Anonymous Logging

By default, Defendpoint will include user and computer specific information in all audit events. You can set yourapplication rules to not log this information for events associated with your rules by setting the Raise an Eventoption to On (Anonymous) on each rule.

You can also set whether user or computer information is kept anonymous for audit events that are not associatedwith a rule, such as events raised for having an invalid license.

To enable anonymous auditing for events not associated with a rule, edit the following section in thedefendpoint.plist configuration file:

<key>AnonymousLogging</key><string>true</string>

To disable anonymous auditing for events not associated with a rule, edit the following section in thedefendpoint.plist configuration file:

<key>AnonymousLogging</key><string>false</string>

A.3.6 - Adding Defendpoint Settings to a Mac Client ComputerDefendpoint Settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XMLfile from theMMC. To prevent any invalid permissions being applied, it is recommended that this file is replacedusing the following command. In this example, the source XML file is located on your Desktop:

sudo cp ~/Desktop/local.xml /etc/defendpoint/local.xml

The Defendpoint client will apply the new settings immediately, and does not require any restart.


Do not delete the local.xml file as this will interfere with the client machine’s ability to enforce policy. If thelocal.xml file is deleted from a client machine, replace the file and restart themachine.

A.3.7 - Mac Command Arguments Not SupportedThe following arguments are not supported by Defendpoint when you're using sudo:

Option (single dash) Option (double dash) Description-A --askpass use a helper program for password prompting

-C num --close-from=num close all file descriptors >= num

-E --preserve-env preserve user environment when running command

-g group --group=group run command as the specified group name or ID

-H --set-home set HOME variable to target user's home dir

-h host --host=host run command on host (if supported by plugin)

-K --remove-timestamp remove timestamp file completely

-k --reset-timestamp invalidate timestamp file

-l --list list user's privileges or check a specific command;use twice for longer format

-n --non-interactive non-interactivemode, no prompts are used

-P --preserve-groups preserve group vector instead of setting to target's

-p prompt --prompt=prompt use the specified password prompt

-U user --other-user=user in list mode, display privileges for user

-u user --user=user run command (or edit file) as specified user name orID

-v --validate update user's timestampwithout running a command

A.4 - Windows SpecificA.4.1 - Windows Policy Configuration PrecedenceDefendpoint supports a variety of deployment methods, and accepts multiple simultaneous configurations fromany combination of the following:

l McAfee ePO Policy – A configuration that is stored within McAfee ePO, configured using the DefendpointePOExtension in the ePO Policy Catalog.

l Webservice Policy - A configuration that is served from an IC3 webservice using HTTPS.l Webserver Policy – A configuration located on a web server, accessible using HTTP(s) or FTP.l Group Policy – Configurations that are stored in Group Policy Objects, configured using GPMC (ActiveDirectory Group Policy) andGPEdit (Local Group Policy). Group Policy based configurations are evaluatedaccording to GPO precedence rules.

l Local Policy – A standalone configuration, which is stored locally and has been configured using theDefendpoint Management Console snap-in for theMicrosoft Management Console.


The Defendpoint client uses the following default precedence to evaluate each configuration for matching rules:

ePO> Webservice > Webserver > GPO > Local

Configuration precedence settings can be configured either as part of the client installation, or using theWindowsRegistry once the client has been installed.

Tomodify the configuration precedence at client installation, use one of the following command lines to install theDefendpoint Client with a specific configuration precedence:

msiexec /i DefendpointClient_xx (XX).msi POLICYPRECEDENCE="EPO,WEBSERVICE,WEBSERVER,GPO,LOCAL"

DefendpointClient_x(XX).exe /s /v“ POLICYPRECEDENCE=\"EPO,WEBSERVICE,WEBSERVER,GPO,LOCAL\""


Tomodify your configuration precedence using theWindows Registry, run Regedit.exe with elevated privilegesand an anti-tamper token disabled. Navigate to the following key and edit the string as required:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard ClientREG_SZ PolicyPrecedence = "EPO,WEBSERVICE,WEBSERVER,GPO,LOCAL"

Only deployment methods listed in the Defendpoint engineering key PolicyEnabled are applied, irrespective ofthe order listed in the PolicyPrecedence key. Both keys are located in the same place in theWindows registry.

A.4.2 - Windows PrivilegesStandard User Privileges

Privilege Windows 7Windows Server 2008 R2

SeChangeNotifyPrivilege Yes

SeIncreaseWorkingSetPrivilege Yes

SeShutdownPrivilege Desktop Only

SeTimeZonePrivilege Yes

SeUndockPrivilege Desktop Only

Administrator Privileges


SeBackupPrivilege Yes

SeCreateGlobalPrivilege Yes



SeCreatePagefilePrivilege Yes

SeCreateSymbolicLinkPrivilege Yes

SeDebugPrivilege Yes

SeEnableDelegationPrivilege Server Only

SeImpersonatePrivilege Yes


SeIncreaseBasePriorityPrivilege Yes

SeIncreaseQuotaPrivilege Yes

SeLoadDriverPrivilege Yes

SeMachineAccountPrivilege Yes

SeManageVolumePrivilege Yes

SeProfileSingleProcessPrivilege Yes

SeRemoteShutdownPrivilege Yes

SeRestorePrivilege Yes

SeSecurityPrivilege Yes

SeShutdownPrivilege Yes

SeSystemEnvironmentPrivilege Yes

SeSystemProfilePrivilege Yes

SeSystemTimePrivilege Yes

SeTakeOwnershipPrivilege Yes

System Privileges


SeAssignPrivilegeTokenPrivilege Yes

SeAuditPrivilege Yes

SeCreatePermanentPrivilege Yes

SeCreateTokenPrivilege Yes

SeLockMemoryPrivilege Yes

SeRelabelPrivilege Server 2008 R2Only

SeSyncAgentPrivilege Yes

SeTcbPrivilege Yes



SeTrustedCredManAccessPrivilege Server 2008 R2Only

SeUnsolicitedInputPrivilege Server 2008 R2Only

A.4.3 - Windows Application TemplatesDefendpoint ships with some standard application templates to simplify the definition of applications that are part ofthe operating system, common ActiveX controls and software updaters. The standard application templates aresplit into categories:

l Avecto Utilitiesl Browsersl COMClasses for 3rd Party Softwarel ComClasses for file, folder and drive operationsl COM Classes for general Windows operationsl COMClasses for security features and configurationsl COMClasses for software installation, uninstallation and updatesl COMClasses for network device settings, sharing options and configurationsl Common ActiveX controlsl Content Handler Untrustedl Content Handlersl Installers for common printer driver manufacturersl Software updatersl Tools and utilities for administrators and developersl Windows 10 Default Appsl Windows 7/8 andWindows Server 2008 R2 / 2012 / 2012 R2l Windows 8.0 Default Appsl Windows 8.1 Default Appsl Windows Server 2008 R2

Each category then has a list of applications for that category. Picking an application will cause the application orActiveX control dialog boxes to be pre-populated with the appropriate information.

A.4.4 - Configuring Remote Computer BrowserThe Defendpoint Workstyle Editor allows you to browse computers on the network for executables, Windowsservices and running processes, which can be added to application groups. This provides a convenient alternativetomanual entry.

Remote computer browsing leverages Windows RemoteManagement (WinRM) and PowerShell, whichmust beconfigured on each target endpoint in advance of using the computer browser feature to access the remotecomputer.

WinRM and Powershell are components of theWindows Management Framework, and are part of Windows 7 andWindows Server 2008 R2. For older versions of Windows, theWindows Management Framework can bedownloaded and installed as an optional update at:


http://www.microsoft.com/en-gb/download/details.aspx?id=40855.

To configure the ePO Server.1. ConfigureWinRM trusted hosts:

a. Open PowerShell (elevated).b. Type

winrm s winrm/config/client '@{TrustedHosts="<endpoint>"}'where <endpoint> should be replaced with the hostname or IPAddress of the network computer to betrusted (a wildcard ‘*’ can also be used). and press Enter.

To configure a network computer.1. Verify that PS-Remoting is enabled:

a. Open PowerShell (elevated).b. Type

Enable-PSRemotingand then type A to accept all defaults (this can also be enabled via AD Group Policy).

2. ConfigureWinRM to allow remote connections:a. In the same PowerShell window, type

winrm qcand press Enter.

b. Typewinrm set winrm/config/service @{AllowUnencrypted="true"}and press Enter.

To test for a successful connectionRun this command from the ePO server:

winrm identify -r:http://<endpoint>:5985 -u:<username> -p:<password>

where <endpoint> should be replaced with the hostname or IPAddress of the network computer, <username> and<password> replaced with administrator credentials on the network computer.

If the connection is unsuccessfulFix the local security policy to enable classic mode authentication for network logons.

1. Open Local Security Policy from Control Panel > Administrative Tools.2. Navigate to Local Policies > Security Options.3. Double click Network Access: Sharing and Security Model for local accounts.4. Set to classic.

Mixed environments1. Open PowerShell (elevated).

1. Typenew-itemproperty -name LocalAccountTokenFilterPolicy -path`HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1and press Enter.


http://www.microsoft.com/en-gb/download/details.aspx?id=40855.

A.4.5 - Environment VariablesDefendpoint supports the use of the following environment variables within file path and command line applicationdefinitions:

System Variables

l %ALLUSERSPROFILE%l %COMMONPROGRAMFILES(x86)%l %COMMONPROGRAMFILES%l %PROGRAMDATA%l %PROGRAMFILES(x86)%l %PROGRAMFILES%l %SYSTEMROOT%l %SYSTEMDRIVE%

User Variables

l %APPDATA%l %USERPROFILE%l %HOMEPATH%l %HOMESHARE%l %LOCALAPPDATA%l %LOGONSERVER%

To use any of the environment variables above, enter the variable, including the% characters, into a file path orcommand line. The Defendpoint Client will expand the environment variable prior to attempting a file path orcommand linematch.

A.4.6 - Regular Expressions SyntaxDefendpoint can control applications at a granular level by using regular expression syntax. Defendpoint uses theATL regular expression library CAtlRegExp. Below is a summary of the regular expression syntax used by thislibrary.

Metacharacter Meaning ExampleAny characterexcept[\^$.|?*+()

All characters except the listed special characters match a singleinstance of themselves. Tomatch one of these listed charactersuse a backslash escape character (see below).

“abc” matches “abc”

\ (backslash) Escape character: interpret the next character literally. “a\+b” matches “a+b”

. (dot) Matches any single character. “a.b” matches “aab”, “abb”or “acb”, etc.

[ ] Indicates a character class. Matches any character inside thebrackets (for example, [abc] matches "a", "b", and "c").

“[abc]” matches "a", "b", or"c"


Metacharacter Meaning Example^ (caret) If this metacharacter occurs at the start of a character class, it

negates the character class. A negated character class matchesany character except those inside the brackets (for example, [^abc]matches all characters except "a", "b", and "c").

If ^ is at the beginning of the regular expression, it matches thebeginning of the input (for example, ^[abc] will only match input thatbegins with "a", "b", or "c").

“[^abc]” matches allcharacters except "a", "b",and "c"

- (minuscharacter)

In a character class, indicates a range of characters (for example,[0-9] matches any of the digits "0" through "9").

“[0-9]” matches any of thedigits "0" through "9"

? Indicates that the preceding expression is optional: it matches onceor not at all (for example, [0-9][0-9]?matches "2" and "12").

“ab?c” matches "ac" or"abc"

+ Indicates that the preceding expressionmatches one or more times(for example, [0-9]+ matches "1", "13", "666", and so on).

“ab+c” matches "abc" and"abbc", “abbbc”, etc.

* (asterisk) Indicates that the preceding expressionmatches zero or more times “ab*c” matches "ac" and"abc", “abbc”, etc.

| (vertical pipe) Alternation operator: separates two expressions, exactly one ofwhichmatches.

“a|b” matches “a” or “b”

??, +?, *? Non-greedy versions of ?, +, and *. Thesematch as little aspossible, unlike the greedy versions whichmatch as much aspossible. Example: given the input "<abc><def>", <.*?> matches"<abc>" while <.*> matches "<abc><def>".

Given the input"<abc><def>", <.*?>matches "<abc>" while<.*> matches"<abc><def>".

( ) Grouping operator. Example: (\d+,)*\d+ matches a list of numbersseparated by commas (such as "1" or "1,23,456").

“(One)|(Two)” matches"One" or "Two"

{ } Indicates amatch group. The actual text in the input that matchesthe expression inside the braces can be retrieved through theCAtlREMatchContext object.

\ Escape character: interpret the next character literally (for example,[0-9]+ matches one or more digits, but [0-9]\+ matches a digitfollowed by a plus character). Also used for abbreviations (such as\a for any alphanumeric character; see table below).

If \ is followed by a number n, it matches the nthmatch group(starting from 0). Example: <{.*?}>.*?</\0> matches"<head>Contents</head>".

Note that in C++ string literals, two backslashes must be used:"\\+", "\\a", "<{.*?}>.*?</\\0>".

<{.*?}>.*?</\0> matches"<head>Contents</head>"

$ At the end of a regular expression, this character matches the end ofthe input. Example: [0-9]$ matches a digit at the end of the input.

[0-9]$ matches a digit atthe end of the input

| Alternation operator: separates two expressions, exactly one ofwhichmatches (for example, T|thematches "The" or "the").

T|thematches "The" or"the")

! Negation operator: the expression following ! does not match theinput. Example: a!bmatches "a" not followed by "b".

a!b matches "a" notfollowed by "b"


Formore information, seehttp://msdn.microsoft.com/en-us/library/k3zs4axe(v=vs.71).aspx

A.4.7 - Windows Workstyle ParametersThe Defendpoint Settings include a number of features that allow customization of text and strings that are used forend user messaging and auditing. If you want to include properties that relate to the settings applied, the applicationbeing used, the user or the installation of the Defendpoint Client, then parameters may be used that expand whenthe text is used.

Parameters are identified as any string surrounded by [square parentheses], and if detected, the agent will attemptto expand the parameter. If successful, the parameter will be replaced with the expanded property. If unsuccessful,the parameter will remain part of the string. The table below shows a summary of all available parameters andwhere they are supported.

Parameter Description[PG_ACTION] The action which the user performed from an end user message

[PG_AGENT_VERSION] The version of the Privilege Guard Client

[PG_APP_DEF] The name of the application rule that matched the application

[PG_APP_GROUP] The name of the application group that contained amatching application rule

[PG_AUTH_USER_DOMAIN] The domain of the designated user who authorized the application

[PG_AUTH_USER_NAME] The account name of the designated user who authorized the application

[PG_COM_APPID] The APPID of the COM component being run

[PG_COM_CLSID] The CLSID of the COM component being run

[PG_COM_NAME] The name of the COM component being run

[PG_COMPUTER_DOMAIN] The name of the domain that the host computer is amember of

[PG_COMPUTER_NAME] The NetBIOS name of the host computer

[PG_CONTENT_DEF] The definition name of thematching content

[PG_CONTENT_FILE_DRIVE_TYPE]

The drive type of amatching content

[PG_CONTENT_FILE_HASH] The SHA-1 hash of amatching content

[PG_CONTENT_FILE_IE_ZONE]

The Internet Zone of amatching content

[PG_CONTENT_FILE_NAME] The file name of amatching content

[PG_CONTENT_FILE_OWNER] The owner of amatching content

[PG_CONTENT_FILE_PATH] The full path of amatching content

[PG_CONTENT_GROUP] The group name of amatching content definition

[PG_DOWNLOAD_URL] The full URL from which an application was downloaded

[PG_DOWNLOAD_URL_DOMAIN]

The domain from which an application was downloaded

[PG_EVENT_TIME] The date / time that the policy matched

[PG_EXEC_TYPE] The type of executionmethod: application rule or shell rule

[PG_GPO_DISPLAY_NAME] The display name of the GPO (Group Policy Object)


http://msdn.microsoft.com/en-us/library/k3zs4axe(v=vs.71).aspx

Parameter Description[PG_GPO_NAME] The name of the GPO that contained thematching policy

[PG_GPO_VERSION] The version number of the GPO that contained thematching policy

[PG_MESSAGE_NAME] The name of the custommessage that was applied

[PG_MSG_CHALLENGE] The 8 digit challenge code presented to the user

[PG_MSG_RESPONSE] The 8 digit response code entered by the user

[PG_POLICY_NAME] The name of the policy

[PG_PROG_CLASSID] The ClassID of the ActiveX control

[PG_PROG_CMD_LINE] The command line of the application being run

[PG_PROG_DRIVE_TYPE] The type of drive where application is being executed

[PG_PROG_FILE_VERSION] The file version of the application being run

[PG_PROG_HASH] The SHA-1 hash of the application being run

[PG_PROG_NAME] The program name of the application

[PG_PROG_PARENT_NAME] The file name of the parent application

[PG_PROG_PARENT_PID] The process identifier of the parent of the application

[PG_PROG_PATH] The full path of the application file

[PG_PROG_PID] The process identifier of the application

[PG_PROG_PROD_VERSION] The product version of the application being run

[PG_PROG_PUBLISHER] The publisher of the application

[PG_PROG_TYPE] The type of application being run

[PG_PROG_URL] The URL of the ActiveX control

[PG_SERVICE_ACTION] The action performed on thematching service

[PG_SERVICE_DISPLAY_NAME]

The display name of theWindows service

[PG_SERVICE_NAME] The name of theWindows service

[PG_STORE_PACKAGE_NAME]

The package name of theWindows Store App

[PG_STORE_PUBLISHER] The package publisher of theWindows Store app

[PG_STORE_VERSION] The package version of theWindows Store app

[PG_TOKEN_NAME] The name of the built-in token or custom token that was applied

[PG_URL_ADDRESS] The full address of thematching URL

[PG_URL_DEF] The definition name of thematching URL

[PG_URL_GROUP] The URL group name of thematching URL

[PG_URL_HOST] The hostname of thematching URL

[PG_URL_IE_ZONE] The Internet Zone of thematching URL

[PG_URL_PROTOCOL] The protocol of thematching URL

[PG_USER_DISPLAY_NAME] The display name of the user

[PG_USER_DOMAIN] The name of the domain that the user is amember of


Parameter Description[PG_USER_NAME] The account name of the user

[PG_USER_REASON] The reason entered by the user

[PG_USER_SID] The SID of the user

[PG_WORKSTYLE_NAME] The name of the workstyle


A.4.8 - Example PowerShell Configurations


Create New Configuration, Save to Local File# Import both Defendpoint cmdlet moduleImport-Module 'C:\Program Files\Avecto\Privilege GuardClient\PowerShell\Avecto.Defendpoint.Cmdlets\Avecto.Defendpoint.Cmdlets.dll'# Create a new variable containing a new Defendpoint Configuration Object$PGConfig = New-Object Avecto.Defendpoint.Settings.Configuration## Add License ### Create a new license object$PGLicence = New-Object Avecto.Defendpoint.Settings.License# Define license value$PGLicence.Code = "5461E0D0-DE30-F282-7D67-A7C6-B011-2200"# Add the License object to the local PG Config file$PGConfig.Licenses.Add($PGLicence)## Add Application Group ### Create an Application Group object$AppGroup = new-object Avecto.Defendpoint.Settings.ApplicationGroup# Define the value of the Application Group name$AppGroup.name = "New App Group"# Add the Application Group object to the local PG Config file$PGConfig.ApplicationGroups.Add($AppGroup)## Add Application ### Create an application object$PGApplication = new-object Avecto.Defendpoint.Settings.Application $PGConfig# Use the Get-DefendpointFileInformation to target Windows Calculator$PGApplication = Get-DefendpointFileInformation -PathC:\windows\system32\calc.exe# Add the application to the Application group$PGConfig.ApplicationGroups[0].Applications.AddRange($PGApplication)## Add Message ### Create a new message object$PGMessage = New-Object Avecto.Defendpoint.Settings.message $PGConfig#Define the message Name, Description and OK action and the type of message$PGMessage.Name = "Elevation Prompt"$PGMessage.Description = "An elevation message"$PGMessage.OKAction = [Avecto.Defendpoint.Settings.Message+ActionType]::Proceed$PGMessage.Notification = 0# Define whether the message is displayed on a secure desktop$PGMessage.ShowOnIsolatedDesktop = 1# Define How the message contains$PGMessage.HeaderType =[Avecto.Defendpoint.Settings.message+MsgHeaderType]::Default$PGMessage.HideHeaderMessage = 0$PGMessage.ShowLineOne = 1$PGMessage.ShowLineTwo = 1$PGMessage.ShowLineThree = 1$PGMessage.ShowReferLink = 0$PGMessage.ShowCancel = 1$PGMessage.ShowCRInfoTip = 0# Define whether a reason settings$PGMessage.Reason = [Avecto.Defendpoint.Settings.message+ReasonType]::None$PGMessage.CacheUserReasons = 0# Define authorization settings


$PGMessage.PasswordCheck =Avecto.Defendpoint.Settings.message+AuthenticationPolicy]::None$PGMessage.AuthenticationType =[Avecto.Defendpoint.Settings.message+MsgAuthenticationType]::Any$PGMessage.RunAsAuthUser = 0# Define Message strings$PGMessage.MessageStrings.Caption = "This is an elevation message"$PGMessage.MessageStrings.Header = "This is an elevation message header"$PGMessage.MessageStrings.Body = "This is an elevation message body"$PGMessage.MessageStrings.ReferURL = "http:\\www.bbc.co.uk"$PGMessage.MessageStrings.ReferText = "This is an elevation message refer"$PGMessage.MessageStrings.ProgramName = "This is a test Program Name"$PGMessage.MessageStrings.ProgramPublisher = "This is a test Program Publisher"$PGMessage.MessageStrings.PublisherUnknown = "This is a test Publisher Unknown"$PGMessage.MessageStrings.ProgramPath = "This is a test Path"$PGMessage.MessageStrings.ProgramPublisherNotVerifiedAppend = "This is a testverification failure"$PGMessage.MessageStrings.RequestReason = "This is a test Request Reason"$PGMessage.MessageStrings.ReasonError = "This is a test Reason Error"$PGMessage.MessageStrings.Username = "This is a test Username"$PGMessage.MessageStrings.Password = "This is a test Password"$PGMessage.MessageStrings.Domain = "This is a test Domain"$PGMessage.MessageStrings.InvalidCredentials = "This is a test Invalid Creds"$PGMessage.MessageStrings.OKButton = "OK"$PGMessage.MessageStrings.CancelButton = "Cancel"# Add the PG Message to the PG Configuration$PGConfig.Messages.Add($PGMessage)## Add custom Token ### Create a new custom Token object$PGToken = New-Object Avecto.Defendpoint.Settings.Token# Define the Custom Token settings$PGToken.Name = "Custom Token 1"$PGToken.Description = "Custom Token 1"$PGToken.ClearInheritedPrivileges = 0$PGToken.SetAdminOwner = 1$PGToken.EnableAntiTamper = 0$PGToken.IntegrityLevel =Avecto.Defendpoint.Settings.Token+IntegrityLevelType]::High# Add the custom token to the PG Configuration$PGConfig.Tokens.Add($PGToken)## Add Policy ### Create new policy object$PGPolicy = new-object Avecto.Defendpoint.Settings.Policy $PGConfig# Define policy details$PGPolicy.Disabled = 0$PGPolicy.Name = "Policy 1"$PGPolicy.Description = "Policy 1"# Add the policy to the PG Configurations$PGConfig.Policies.Add($PGPolicy)## Add Policy Rule ### Create a new policy rule$PGPolicyRule = New-Object Avecto.Defendpoint.Settings.ApplicationAssignment


PGConfig# Define the Application rule settings$PGPolicyRule.ApplicationGroup = $PGConfig.ApplicationGroups[0]$PGPolicyRule.BlockExecution = 0$PGPolicyRule.ShowMessage = 1$PGPolicyRule.Message = $PGConfig.Messages[0]$PGPolicyRule.TokenType =[Avecto.Defendpoint.Settings.Assignment+TokenTypeType]::AddAdmin$PGPolicyRule.Audit = [Avecto.Defendpoint.Settings.Assignment+AuditType]::On$PGPolicyRule.PrivilegeMonitoring =[Avecto.Defendpoint.Settings.Assignment+AuditType]::Off$PGPolicyRule.ForwardEPO = 0$PGConfig.Policies[0].ApplicationAssignments.Add($PGPolicyRule)## Set the Defendpoint configuration to a local file and prompt for userconfirmation ##Set-DefendpointSettings -SettingsObject $PGConfig -Localfile –Confirm

Open Local User Policy, Modify then Save# Import the Defendpoint cmdlet moduleImport-Module 'C:\Program Files\Avecto\Privilege GuardClient\PowerShell\Avecto.Defendpoint.Cmdlets\Avecto.Defendpoint.Cmdlets.dll'# Get the local file policy Defendpoint Settings$PGConfig = Get-DefendpointSettings -LocalFile# Disable a policy$PGPolicy = $PGConfig.Policies[0]$PGPolicy.Disabled = 1$PGConfig.Policies[0] = $PGPolicy# Remove the PG License$TargetLicense = $PGConfig.Licenses[0]$PGConfig.Licenses.Remove($TargetLicense)# Update an existing application definition to match on Filehash$UpdateApp = $PGConfig.ApplicationGroups[0].Applications[0]$UpdateApp.CheckFileHash = 1$PGConfig.ApplicationGroups[0].Applications[0] = $UpdateApp# Set the Defendpoint configuration to the local file policy and prompt foruser confirmationSet-DefendpointSettings -SettingsObject $PGConfig -LocalFile -Confirm

Open Local Configuration and Save to Domain GPO# Import the Defendpoint cmdlet moduleImport-Module 'C:\Program Files\Avecto\Privilege GuardClient\PowerShell\Avecto.Defendpoint.Cmdlets\Avecto.Defendpoint.Cmdlets.dll'# get the local Defendpoint configuration and set this to the domain computerpolicy, ensuring the user is prompted to confirm the changeGet-DefendpointSettings -LocalFile | Set-DefendpointSettings -Domain -LDAP"LDAP://My.Domain/CN={GUID},CN=Policies,CN=System,DC=My,DC=domain" –Confirm


A.4.9 - Manual Deployment of the Defendpoint ClientThe Defendpoint Client can optionally be deployedmanually using any Windows Installer compatible third partydeployment system. The Defendpoint Client package is available as both anMSI package and self-installingexecutable package, from the Avecto product archive.

Pre-requisitesThe Defendpoint Client must be installed in ePOMode, either by selecting theMcAfee ePolicy OrchestratorIntegration option when installing the Defendpoint Client, or by using a command-line option if installing the clientvia a deployment system. This will install additional components required to communicate with theMcAfee Agent.

To install the client MSI package silently in ePOMode, use the following command line:

MSIEXEC.exe DefendpointClient_x(XX).msi –qn EPOMODE=1

To install the client executable silently in ePOMode, use the following command line (the double quotes arerequired):

DefendpointClient_x(XX).exe /s /v“ /qn EPOMODE=1”


The syntax abovemust be copied exactly for the install to work as designed, including all spacing.

If you are deploying Defendpoint usingMcAfee ePO, then ePOMode is automatically enabled.

Disabling ePOModeOnce installed in ePOMode, the Defendpoint Client will send events to theMcAfee Agent, as well as raisingevents to the Application Log. If you want to disable ePOmode at any time, set the following registry key:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Agent\DWORD “EPOMode”=0

To re-enable ePOMode, set the above DWORD value to 1.

A.4.10 - Trusted Application Protection BlacklistThe following list contains all of the applications that are blocked from being launched by trustedapplications when Trusted Application Protection is enabled:

l Bashl BG Infol Boot Configuration Data Editorl CDB & NTSDl CMD -Windows Command Processorl Command Line Interface for Microsoft® Volume Shadow Copy Servicel CScript - Microsoft ® Console Based Script Hostl FSIl FSI Any CPU


l IEExecl KD & NTKDl MSBuildl mshtal PSExecl Registry Console Tooll Regsvrl WinDBGl Windows PowerShelll Windows PowerShell ISEl WScript - Microsoft ® Windows Based Script

A.4.11 - Built-in GroupsDefendpoint includes a number of built-in groups that may be used in any application rule or content rule. Theyprovide a simple and convenient way of applying broad rules to applications and content, in particular when defining‘catch-all’ rules. Built-in groups also help to simplify your configurations by reducing the amount of groups.

Group Criteria Valid TypesAny Application Matches any application that executed. Will also

match any child applications.ExecutablesControl Panel AppletsInstaller PackagesManagement ConsolesWindows ScriptsPowerShell ScriptsBatch ScriptsRegistry Scripts

Any Signed Application Matches any application that executed which hasbeen signed by a publisher. Will alsomatch anychild applications of signed applications.

ExecutablesControl Panel AppletsInstaller PackagesManagement ConsolesWindows ScriptsPowerShell Scripts

Any Signed UAC Prompt Matches any application that triggers aWindowsUAC Prompt, which has been signed by apublisher. Will alsomatch any child applications.

ExecutablesInstaller PackagesCOMClasses

Any UAC Prompt Matches any application that triggers aWindowsUAC prompt. Will alsomatch any childapplications.

ExecutablesInstaller PackagesCOMClasses

A.4.12 - Automating the Update of Multiple GPOsThePGUpdateGPO.exe command line utility allows you to automate the update of Defendpoint settings inmultiple computer or user GPOs (Group Policy Objects).

ThePGUPdateGPO.exe utility is used as follows:

PGUpdateGPO.exe COMPUTER GPODSPath [SourceXMLFile]


PGUpdateGPO.exe USER GPODSPath [SourceXMLFile]

Where:

l GPODSPath is the LDAP path to the GPOl SourceXMLFile is the location of the Defendpoint Settings XML file on disk

The command line below demonstrates using this utility to copy an XML file from the current directory into thecomputer section of a GPO stored in Avecto.test:

PGUpdateGPO.exe COMPUTER "LDAP://avecto.test/cn={97B1DB2E-D68B-45EA-98FF-D71F9971F44C},cn=policies,cn=system,DC=avecto,DC=test" PrivilegeGuardConfig.xml

Where:

l {97B1DB2E-D68B-45EA-98FF-D71F9971F44C} is the GUID of the GPO.

A.4.13 - Signing Defendpoint SettingsThe Defendpoint Settings may be digitally signed and the Defendpoint Client can either enforce or audit the loadingof signed settings.

Client Installation Mode ParametersThe Defendpoint Client will verify the certificate on any signed settings that it loads, regardless of where thosesettings originate. The verification process includes:

l Checking that the contents of the settings have not been altered.l Establishing a chain of trust.l Checking that the certificate used to sign the settings contained the Defendpoint configurationSigning OIDin its Enhanced Key Usage extension.

l Checking for revocation where network connectivity allows.

Should the signature verification process fail for any reason, the course of action that is taken will depend upon themode of operation. There are threemodes of operation within the Defendpoint Client. Themode is set via acommand line option during installation:

Parameter DescriptionCERT_MODE=0 StandardMode

CERT_MODE=1 CertificateWarningMode

CERT_MODE=2 Certificate Enforcement Mode

For example, to install the client MSI package silently in CertificateWarningMode, use the following command line(the syntax must be copied exactly):

MSIEXEC.exe /i DefendpointClient.msi –qn CERT_MODE=1

To install the client executable silently in CertificateWarningMode, use the following command line (the syntaxmust be copied exactly):

DefendpointClient.exe /s /v“ /qn CERT_MODE=1”


CERT_MODE=0The loading of unsigned settings will be audited as information events (event 200). Signed settings will be auditedas information events (event 200) if they are correctly signed and as warning events (event 201) if they areincorrectly signed.

The Defendpoint Client is installed inStandard Mode by default.

CERT_MODE=1The loading of unsigned settings will be audited as warning events (event 201). Signed settings will be audited asinformation events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectlysigned.

CERT_MODE=2Unsigned or incorrectly signed settings will not be loaded and audited as error events (event 202). Signed settingswill be audited as information events (event 200) if they are correctly signed.

Creating a PFX File for use with DefendpointThe Defendpoint Settings console requires access to a certificate and private key in order to digitally sign XMLconfiguration. They must both be contained within a PFX or PKCS#12 format file, and the certificate mustspecifically be designated as suitable for signing Privilege Guard XML configuration. This is done via the EnhancedKey Usage extension when generating certificates.

This approach provides another means of ensuring that configuration cannot be created and signed by rogue userswith access to a digital signature certificate intended for a different purpose.

Avecto has defined the following OID that should be added to the Enhanced Key Usage extension:

1.2.826.0.1.6538381.1.1.1 (Avecto Privilege Guard - Configuration - XMLConfiguration Signing)

The Defendpoint Settings console does not check for the existence of this key usage. The checks areperformed when verifying digital signatures in the Defendpoint service. A configuration that is signed with akey that does not contain the specified Enhanced Key Usage extension, will always fail signature verificationchecks.

The following sections provide details of twomethods that can be used to generate a suitable PFX file, but it shouldbe possible to use any Certification Authority to produce certificates with the appropriate Enhanced Key Usageextension.

Using MakeCert to Generate your Certificate

Makecert is a certificate generation tool available fromMicrosoft that can be used to generate certificates fortesting purposes.

The followingmakecert command line can be used to generate a certificate suitable for signing Privilege Guardconfiguration:

makecert -r -pe -n "CN=PGSigned XMLConfiguration" -sky signature -eku 1.2.826.0.1.6538381.1.1.1 -ss my


The parameters can be changed as required. The example will generate a self-signed certificate with an exportableprivate key, and adds it to the calling user’s local certificate store. The certificate must then be exported to a PFXfile along with the private key in the usual way.

The important parameter in the example is the addition of the Defendpoint Configuration Signing OID to theEnhanced Key Usage extension (-eku 1.2.826.0.1.6538381.1.1.1)

If a self-signed certificate is used to sign the Defendpoint Settings, the certificate must be distributed to all clientsin order for a chain of trust to be established and for signature verification to be successful. SeeUsing MakeCertto Generate your Certificate detailed on the previous page for more information.

Using Certificate Template in a Certificate Request

Once the certificate template has been issued, the template can be used during advanced certificate requests viathe certsrv web interface, as shown below.

Once the certificate has been issued, it must be installed by the user before it can be exported to a PFX file in theusual way.

The private key must be exported to the PFX file as well.


Using Microsoft Certificate Services

Microsoft Certificate Services is a useful way for organizations to run their own Certification Authority. In itsenterprise editions, Certificate Services integrates with Active Directory to publish certificates and CertificateRevocation Lists to a location that is accessible to all computers in the Active Directory domain.

Custom certificate templates can only bemanaged using enterprise CAs, therefore the following procedure is onlypossible on Enterprise Editions of Windows 2008 R2.

Creating a Defendpoint Configuration Certificate Template

The easiest way to create a certificate with the Avecto Defendpoint Configuration Signing Enhanced Key Usageextension is to create a new certificate template. Certificate templates allow the content and format of certificatesto be defined so that users can request a certificate using a simple template rather than having to generate acomplex certificate request.

In order to create a new certificate template an existing templatemust be duplicated and thenmodified.

To create a new version 2 or 3 certificate template:

1. Open the Certificate Templates snap-in.2. In the details pane, right-click an existing certificate that will serve as the starting point for the new

certificate, and select Duplicate Template.3. Choose whether to duplicate the template as aWindows Server 2003–based template or aWindows Server

2008 R2–based template.4. On theGeneral tab, enter the Template display name and the Template name, and click OK.5. Define any additional attributes for the newly created certificate template.

The templatemust then be edited in order to make it suitable for signing Defendpoint configuration. This is done byadding the Avecto Defendpoint Configuration Signing OID as an application policy for the template.

Firstly, the Configuration Signing OID must be defined.

To define an object identifier:

1. Open the Certificate Templates snap-in.2. In the details pane, right-click the certificate template you want to modify, and then click Properties.3. On the Extensions tab, click Application Policies, and then click Edit.4. In theEdit Application Policies Extension dialog box, click Add.5. InAdd Application Policy, ensure that the Defendpoint Configuration Signing policy that you are creating

does not exist, and then click New.6. In theNew Application Policy dialog box, provide the name andOID for the new application policy, as

shown below, and then click OK.


Now that the application policy has been defined, you can then associate it with the certificate template.

To associate the application policy with the certificate template:

1. Open the Certificate Templates snap-in.2. In the details pane, right-click the certificate template you want to change, and then click Properties.3. On theExtensions tab, click Application Policies > Edit.4. InEdit Application Policies Extension, click Add.5. InAdd Application Policy, click the desired application policy, and then click OK.

Issuing and Distributing the CertificateOnce the certificate template has been created in the Certificate Templates snap-in and has replicated to alldomain controllers in the forest, it can now be published for deployment. The final task for publishing the certificatetemplate is to select it for the CA (Certification Authority) to issue

Issuing the Certificate

To define which certificate templates are issued by a CA:

1. InAdministrative Tools, click Certification Authority.2. In the console tree, expand CAName (where CAName is the name of your enterprise CA).3. In the console tree, select theCertificate Templates container.4. Right-click Certificate Templates, and then click New, Certificate Template to Issue.5. In theEnable Certificate Templates dialog box, select the Defendpoint Configuration certificate template

that you want the CA to issue, and then click OK.

Distributing Public Keys

In order for signature verification to be successful at every client that reads signed Defendpoint Settings, a chain oftrust must be established. For this to be done, a suitable trust point must be distributed to each client that willreceive the Defendpoint Settings. This should be done automatically when using aMicrosoft enterprise CA.

Alternatively, public keys can be distributed via Group Policy, as discussed in the following TechNet article: UsePolicy to Distribute Certificates.


If you rely on third party providers for certificates, for example, not internal PKI, you will succeed by askingfor a "key signing ceremony" that will allow you to specify the certificate parameters such as custom"extended key usage" values as described in this appendix.

Creating and Editing Signed SettingsIn order to digitally sign Defendpoint settings, a PFX file containing an appropriate certificate and private key mustbe supplied, alongside the corresponding password for the PFX file.

For settings to be correctly signed, the certificate must have anOID that is specific to Avecto Defendpoint.The chain of trust and revocation status is also checked by the client. If the settings have been tamperedwith since signing then the settings will also fail the signing check.

For more information about creating certificates suitable for use with Defendpoint , please refer toCreating a PFXFile for use with Defendpoint detailed on page 160.

To digitally sign the Defendpoint Settings:1. Select theDefendpoint Settings node.2. Right-click and select Digitally Sign.3. TheDigitally sign your Defendpoint Settingswizard appears.4. Check Sign the settings with the following private key option.5. Click theSelect key button and browse for the PFX file that contains your digital certificate.6. Enter the password for the PFX file.7. Click Finish.

To remove the digital signature from the Defendpoint Settings:1. Select theDefendpoint Settings node.2. Right-click and click Digitally Sign.3. TheDigitally sign your Defendpoint Settingswizard appears.4. Select theDo not sign the settings option.5. Click Finish.

Once the Defendpoint Settings have been digitally signed, the Defendpoint Policy Editor will prompt theadministrator for the corresponding PFX password when the settings are opened.


Tomodify the signed settings, youmust enter a valid password for the PFX. Alternatively, you can select toremove the certificate from the settings, or open the settings inRead Onlymode. Canceling this promptautomatically opens the settings inRead Onlymode.

Behavior when Failing to Verify Policy CertificateWhen using signed Defendpoint Settings, timely certificate revocation enforcement may be desired. This scenariois most common for clients unable to reach the CRL source since they are off the corporate network for extendedperiods of time.

By default the Defendpoint Client will allow certificates whose revocationmay not be confirmed viaMicrosoftCrypto APIs from either cached information, or directly from the CRL source.

The following registry configurationmay be used to change the default behavior:

HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client\DWORD “CRLNetworkErrorFailOpen” = 0

Failure to retrieve CRL is deemed an error and policy will not be loaded

DWORD “CRLNetworkErrorFailOpen” = 1


Failure to retrieve CRL is deemed a warning and policy will still be loaded. This is the default behavior if this registrysetting has not been configured.

The CRL is cached when downloaded and honored until its Time To Live (TTL) has expired (standardMicrosoftCryptoAPI behavior). The Certificate Authority may be configured according to requirements, Microsoft GroupPolicy provides centralized configuration in this area. Security and usability need to be balanced according to yourorganization's risk tolerance.

Prior settings from the same source type (GPO, HTTP, etc) will be deleted before the newly acquiredsettings are verified. This could lead to no policy in effect on the endpoint in the case that invalid settings aredelivered, and no valid settings from other sources are in place.

A.5 - DatabasesA.5.1 - Database Sizing and Resource ConsumptionData Retention ConsiderationsThe Audit Event andMicrosoft SQL Server Reporting Services databases used to support Avecto DefendpointEnterprise Reportingmay be hosted and scaled independently.

It's important to identify the length of time that Defendpointaudit event datamust be retained in the Defendpointdatabase as it drives resource utilization projections, and initial allocation.

Defendpoint Enterprise Reporting is designed to report on activity in recent time, not as a long term archival datastorage solution.

l Avecto provides a database purge utility that may be used to purge datamanually, or automatically on aconfigured period to ensure database growth is capped.

l Unlimited database growth inevitably reduces query execution performance, and increases resourceutilization for queries.

Prior to purging large sets of data, please ensure your SQL Transaction logs are able to grow toaccommodate. It may be necessary to delete data in stages when setting this up for the first time.

In order to facilitate your decisionmaking regarding retention time in the Defendpoint database, please refer to thefollowing sections in our standard documentation:

l Description of the views of data exposed in Defendpoint Enterprise Reporting. See the ReportingDashboard Guide.

l Description of the events audited by Defendpoint in the Defendpoint forWindows Administration Guide. SeeWindows Process Events detailed on page 129 for more information.

l Description of the workstyle parameters. Youmay consider these as the fields that are collected in the auditevents, eventually stored in the Defendpoint Audit Events database. For more information see,WindowsWorkstyle Parameters detailed on page 150.

Database SizingThe Audit Event database has to be sized to accommodate substantial data volume, matching the number ofclients generating audit data and the desired retention period.


Database storage requirements may be estimated roughly using the following calculation:

Number of hosts XNumber of events per host per dayX 5Kb per eventX Number of retention days

For example, an organization of 10,000 hosts, with each host generating an average of 15 events per day, requiringa 30 day retention would require a database capacity of:

10,000 X 15 X 5 X 30 = 22,500,000Kb, or 21.5Gb

A typical event volumewould be 10-20 events per host per day and varies based on Defendpoint auditingconfiguration, user job function (role/workstyle) and user activity patterns.

Please refer to the Defendpoint Database sizing calculator to further explore database sizing and growthexpectations.

Database resource utilization (CPU, Memory) is highly variable depending on the hardware platform.

Example Use Case Volumes

Based on an organization of 10,000 hosts requiring a 42 day (six weeks) retention.

Discovery: Between 40 – 60 events per machine per day

(4.6K per event (based on real world data))

Average total: 67.06 GB

Production: Between 2 – 10 events per machine per day

(4.6K per event (based on real world data))

Average total: 5.66 GB

If the number of events ‘per machine per day’ is raised to 15 then the Average total increases to 16.99 GB

Key considerations

Volume of inbound audit event recordsAs seen above, the number of events per hour may be estimated following simple calculations.

Queries triggered from MSFT SQL Reporting Services ReportsAs the database grows in size, the resource impact of the reporting platform queries becomes important.

The volume of datamaintained in the audit event database will affect the duration and resource cost of thesequeries.


Tomaintain good performance, it is recommended that the ER Purge Utility is used to limit the timespan of auditevent data retained in the database.

Finer-grained audit datamanagement and clean-up is possible using the ER Database Administration Dashboard.The Database Administration Dashboard allows the purging of audits related to specific applications andsuppression of incoming audit items related to those applications. For more information please refer to theDatabase Administration description in the Reporting Dashboard Guide.

Prior to purging large sets of data, please ensure your SQL Transaction logs are able to grow to accommodate. Itmay be necessary to delete data in stages when setting this up for the first time.
