Information on the Action tab

On this tab you determine how application control will respond to the entries on the Filter tab.

 

  1. Select the appropriate action:

    • Allow: Select this option if you do not require any further action. This setting corresponds to 'Allow'.
    • Block: Choose Block if you want to prevent specific events depending on the access mode or the target. For example, this action prevents an application or script from running, or a DLL from loading. This is the default setting.

    • Ask user: To let users decide which action they want to allow, select this option. Then, for example, it is up to the user to decide whether a Powershell script is run or not.

      Rule evaluation is stopped for these options (Allow, Block and Ask user).

    • Modify reporting: No further action is taken with this option, it only changes the reporting. Further below you can indicate whether the command line will be displayed in the event. Note that with this option the evaluation of the rules continues.

    Please note that these actions provide additional protection for particularly vulnerable processes. 'Allow' can still be blocked by a setting in a white or black list, but 'Block' overwrites the setting in a whitelist rule!

  2. Specify one of the following mechanisms that applies to targets other than the ones defined on the Filter tab:

    • Block access to other targets

      Allow access only to the targets that are explicitly allowed, and block all other targets.

    • Block access by other applications

      Only applications with explicit permission are allowed access, all other applications are blocked.

      Example: No other application may access the bank directory other than the bank application from use case no. 4.

  3. Determine which events will be generated:

    The Generate audit events when access is denied is the default option. You can additionally or alternatively select the Generate audit events when access is allowed option. Use this option, for example, if you want to allow execution of specific scripts in a rule and want to generate the associated events. All events are displayed in the DriveLock Operations Center (DOC). Both options are also suitable for the simulation mode.

    Please note that a large number of events will be created if you select both options.

  4. The option Show command line in event specifies that the corresponding event reporting a (allowed or blocked) process start may also display command line parameters in the Events and Alerts node, Application Control sub-node. The option is disabled by default.

    Please note that the command line may contain confidential data, such as passwords.