Application Control Events

Receiving Statistics Configuration

To activate sending the information for the Application Control events from the stations

1.In the Anti-virus network section, in the network tree select station or station group with Application Control installed from which you want to receive information on applications launch.

2.In the control menu, select Windows → Dr.Web Agent if you selected a group, or Dr.Web Agent if you selected a station.

3.On the General tab, set the Track Application Control events flag to track processes activity at stations detected by Application Control and send events to Dr.Web Server. If there is no connection with Dr.Web Server, events are collected and sent upon connect. If the flag is cleared, processes activity is ignored.

4.Click Save.

To activate collecting the information for the Application Control events at Dr.Web Server

1.In the Administration → Dr.Web Server configuration section, go to the Statistics tab.

2.Set one of the following options:

Application Control statistics on processes activity to receive and write information on any activity of all processes: either allowed or prohibited to launch by Application Control. Setting this option will enable registration of applications in the catalog, as long as at least one profile is created and assigned, with one or several categories of functional analysis criteria selected.
Before creating the profiles and assigning them to stations of anti-virus network, all applications are allowed to be launched.

Application Control statistics on processes blocking to receive and write information on activity of all processes prohibited to launch by Application Control. For this option, applications will be written to the catalog only after creating profiles by the settings of which application launch will be blocked, and assigning these profiles on stations of anti-virus network.

info

The Application Control statistics on processes activity flag may significantly increase resource intensity of statistics collecting over all anti-virus network.

3.Click Save.

4.Restart Dr.Web Server.

5.After restarting, Dr.Web Server starts collecting statistics on applications launch received from all stations with Application Control installed.

Viewing Statistics

To view events detected on stations by Application Control component

1.In the hierarchical list select a station or a group.

2.In the control menu select Application Control events item from the Statistics section.

3.The window containing the list of applications which were prohibited or allowed to run at the selected stations will be opened.

4.The statistics for last 24 hours are displayed by default. To view the data for certain time period, specify the certain time period relatively today in the drop-down list, or select the arbitrary date range on the toolbar. To select the arbitrary date range, enter required dates or click the calendar icons next to the date fields. To load data, click Refresh. The tables with statistics will be loaded. The table below contains the description of the table columns.

Description of the columns in the Application Control Events table

Column Name

Description

Identifier

Station identifier

Station

Station name

Station address

Station address

Security identifier

Security identifier of the user account

User

Station user

Event type

Type of event detected on the station

Applied action

Action applied to the application launched on the station

Functional analysis criterion

Criterion for allowing or blocking application on the station

Functional analysis mask

Parameter of the functional analysis criterion. This parameter determines whether the application is allowed to run on the station or not.

Profile ID

Profile identifier

Profile name

Profile name

Rule ID

Rule identifier

Rule name

Rule name

Operation mode

Operation mode of the rule

Process file path

Process file path

Process

A process that is allowed or prohibited to launch on the station

Bulletin with process hash

Bulletin containing the hash of the launched process file

Script file path

Script file path

Script

Script file

Bulletin with script hash

Bulletin containing the hash of the launched script file

Event occurrence

Date and time when the event occurred

Event notification

Date and time of event notification

File hash (SHA-256)

The hash value of the file (SHA-256 algorithm)

File description

File description

Publisher

Publisher of the file

Certificate issuer

Certification authority that issued the certificate

Certificate thumbprint (SHA-1)

The hash value of the certificate (SHA-1 algorithm)

Certificate start date

Certificate start date

Certificate end date

Certificate end date

5.To save the table for printing or future processing, click one of the following buttons:

icon-export-csv Save data in CSV file,

icon-export-html Save data in HTML file,

icon-export-xml Save data in XML file,

icon-export-pdf Save data in PDF file.

info

When a profile or rule is in test mode, applications launched on assigned workstations are checked against each step of the entire Application Control scheme, top to bottom. Displayed statistics will include all cases when an application matched any of the criteria: functional analysis settings, rules, and trusted applications group. Therefore, one application may have several records in the Applied action column saying that it was allowed by one criterion and/or blocked by another.

Creating Rules

To create a new rule basing on the event statistics of the Application Control

1.In the Statistics → Application Control events section, select a row with the event in the attempt to launch an application for which you want to create the rule for controlling the launch.

2.The table row click opens the window with information on the selected event.

3.Click Create rule (вased on object data or based on process data).

4.The window for creation of a new rule will be opened. Specify the following settings:

a)In the Profile name drop-down list, select the Application Control profile for which the rule will be created.

b)In the Rule name filed, specify the name of creating rule.

c)For the Rule type option, select the type of creating rule: deny or allow.

d)For the Operation mode option, select the operation mode of the creating rule (corresponds the Switch rule to test mode flag at rule creation in a profile):
If you want to check the rule operation, select the Test option. Applications will not be blocked at stations, but the activity log will be written as for enabled settings. Application launch and block results based on a rule in test mode will be displayed in the Application Control Events section.
With the Active option, the rule operates in active mode and blocks applications at stations by specified rule settings (see also modes of profiles operation).

e)In the Prohibit the launch of applications on the following criteria/Allow the launch of applications on the following criteria section (depending on the rule type selected at step 4b), the fields will be automatically specified in accordance with the applications on the base of which the rule is creating. If necessary, you can edit the settings.

5.Click Save. The rule will be created in the specified profile of the Application Control.