Application collection rule

This rule has no user restrictions.

The task pad view provides you with two samples that you can use immediately. With one rule you can learn and control the behavior of different browsers and with the other one that of different e-mail clients (the corresponding application collections are created simultaneously in the Application collections folder).

Based on the behavior of browsers during updates, the following example explains the dialog options:

  1. The General tab contains the following information:

    • Rule type: Learning and Awareness

      The Learning and Awareness option only controls the learning settings, but does not determine whether a specific program may be started or not (as would be the case with the white or black list options).

      This decision is based on the hashes of the files (in hash rules), which are automatically managed by Application Control.

    • Rule name: Learn the behavior of browsers

    • Application collection: Browsers

      Make sure that the application collection contains all common browsers and exists already.

  2. The following options are available on the Local Learning tab:

    • The application may start programs that are not included in any whitelist

      By selecting this option, any service process that is to execute a browser update can be started, even if this service process is not explicitly whitelisted. This option also allows the service process to start the actual browser update, which is not whitelisted either.

    • Learn all program files written by this application (including child processes)

      To enable the browser update to terminate the actual browser and service process and to replace the corresponding files with the updated version of the browser, all child processes of the service process must be automatically added to a whitelist.

      This means that the actual browser, being a child process of the service process, will be able to start programs that are not explicitly allowed. In addition, all the files that the browser writes are also automatically added to the whitelist.

    As neither of these options are wanted for browsers, it is important to configure the browser so that such permissions are not passed on to the process. This is why you select the following option:

    • This application never gets the permissions listed above

    In the section Learn and control application behavior you also specify that browsers learn locally

    • which programs they start,
    • which DLLs they load and
    • which directories they are allowed to write their files to.

Conclusion: With these settings, the applications that are specified in the rule get exactly the rights they need on the respective DriveLock Agent where the application behavior is recorded. In this way it is even possible to learn different download directories for applications on different agents.