How will you stop unwanted programs from loading in a startup? Should you use an SWG Application Control?
SWG Application Control
Application Control is a feature that’s part of SWG 3.5 and higher. It can be enabled in the Control Panel under Windows Firewall. Application Control uses the information from the publisher’s certificate to determine if an application is allowed to start.
This can be useful in environments where you want to restrict access to certain applications. Also, if you want to ensure that only specific applications are allowed to start in Windows startup. Application control is disabled by default.
Custom Rule-type
Application Control also supports a custom rule type where you can specify the executable name(s) you want to add to your list of allowed applications. In this example, we allow two programs (the Windows Management Instrumentation service and the MOM Server service) and disallow everything else.
We also created a custom rule for our own application ‘SysInternalApp’. This example shows how easy it is to restrict access to certain programs, or even allow specific applications only. You might wonder what happens when a program is started by another process instead of directly by a user interaction?
Application control will not block any processes that are started by other processes. So if a malicious program executes another program, Application Control won’t block it until it’s started by user interaction. If a process starts another process, then Application Control may still block it when the second process starts (if you specified that second process in your rules).
In other words, Application Control will block all processes that are started directly or indirectly from the allowed application processes. The following demonstrates this behavior when we uncheck ‘Allow indirect access’ in the General tab. If we try to start ProcessA, then it will be blocked by Application Control.
This is because it was started by ProcessB, which was allowed in our rules. The same goes for ProcessB, as it was started by ProcessA which was also allowed in our rules. But if we start ProcessC and place ProcessA/B/C on our allowed list, then there’s no problem anymore.
Advanced Security: Application Control
Application Control – Denied: This log contains information about the blocked application. If a program was blocked, then you’ll see the executable name and the user that started it. If an application was allowed, then you won’t see any information.
Application Control – Allowed: This log contains a list of all applications that were allowed by Application Control. This publisher’s certificate matches the certificate of an allowed application. You can use this to verify that an application is allowed to start.
You can also configure Application Control to Create Audit Only Events in the Windows event logs. So that you always know which applications are allowed to start.
AppLocker also has an audio-only mode where you can specify the applications that are allowed to start. The main difference between Application Control and AppLocker is that AppLocker uses its rule types. But it doesn’t support custom rules as Application Control does.
You could say that AppLocker gives you more control over your rules. But Application control can be used to block certain applications and processes, while AppLocker doesn’t have this option. So if you want to restrict access to certain programs or processes, you should use Application Control instead of AppLocker.