North America
  • North America
  • Europe
  • United Kingdom
  • Asia & Pacific
  • Australia
  • South America
  • Africa

Understanding Endpoint Manager containment and application control

Release Time
10/18/2017
Views
1392 times
Category
Security Sub-System
Tags


Comodo Client Security (CCS) monitors all file activity on the enrolled Windows devices in the Endpoint Manager. Every new executable is scanned against the Comodo white and blacklists then awarded a rating of 'Unrecognized','Trusted' or'Malicious'.

Basic Flow :

Files that have a rating of 'Unrecognized' are reported to the 'Containment' interface. Files that have a rating of  'Trusted' are reported to the 'Application Control' interface. You can add as many rules as possible for excluding the file without running inside the containment. Such excluded files in the containment are moved to Application Contol with the equal access rights  of  'Trusted' file . Files that have a rating of  'Malicious' are quarantined(killed). Admins can change the rating of a file as required in' Containment' and 'Application Control' interface.

I) Endpoint Manager 'Containment' Interface

Containment is a secure and isolated environment in which applications are allowed to run with limited access. You can manage contained applications from Endpoint Manager 'Containment' interface.

Containment flow :

1.Click 'Security Sub-Systems' -> 'Containment' to open the 'Containment' interface. The list of unrecognised files are available in the Containment list.

 

2.File details - The basic details of the file is available here.

a.File Info - The name, latest detected path, age, hash, version, and size of the files are displayed in 'file info'.

b.Device List - List of new activity generated during execution of the file is displayed in the device list.

3. Export - The details of the files are available in the tabular format in the .csv file.

It will download the .csv file of the particular file selected from the list

 

4. Valkyrie Report - The complete behavior of the Unrecognised files will be analyzed in Valkyrie. Valkyrie tests unknown files with a range of static and dynamic behavioral checks to identify whether they are malicious or safe.

Download Valkyrie Report-The details of the file are downloaded as the report in the .pdf format

Check Valkyrie Report-The details of the file can be checked.

For example, for the unrecognized file 'emule.exe' the admin will check the Valkyrie report before rating it , to know the complete behavior of the unknown file.

Kill chain Report - If the Valkyrie report is not sufficient for the rating purpose the administrator can get the detailed information from the Kill chain report.

5. Change Rating

The 'Change Rating' button allows admin to manually set the file's rating as 'Trusted', 'Malicious' or 'Unrecognized'. The new rating will be sent to all endpoints.

For instance, If the 'Unrecognised' file locally generated good file then the admin might change the ratings of the file as 'Trusted '  

 

6. Manage  Record - The 'Record' button lets you hide, display or delete the file from the 'Containment' list

If the admin changed the ratings of the application as trusted then he can hide the file from the list or it can be deleted from the list if the file is no longer needed.

 

II)Endpoint Manager Application Control interface

Files that have a rating of  'Trusted' are reported to the 'Application Control' interface.

You can add as many rules as possible for excluding the file without running inside the containment. Such Excluded files in the containment are moved to Application Contol with the equal access rights of 'Trusted' file.

You can refer the following link for the exclusion of files from containment  - https://wiki.itarian.com/frontend/web/topic/how-to-white-list-applications-by-path

It allows the administrator to manage the trust ratings of the application in the endpoint.

Application Control FlowChart:

1.Click 'Security Sub-Systems' -> 'Application Control' to open the 'Application Control' interface. The list of files runing outside the containment are available in Application control interface.

2.File details - The basic details of the file is available here.

a.File Info - The name, path, age, hash, version, and size of the files are displayed in 'file info'

b.Device List - List of new activity generated during execution of the file is displayed in the device list.

3. Export - The details of the files are available in the tabular format in the .csv file.

It will download the .csv file of the particular file selected from the list

4.Change Rating - The 'Change Rating' button allows you to manually set the file's rating as 'Trusted', 'Malicious' or 'Unrecognized'. The new rating will be sent to all endpoints.

For instance, If the 'Unrecognised' file consumes more storage space unwantedly then the administrator might change the ratings of the file as 'Trusted '

 

5.Manage  Record

The 'Record' button lets you hide, display or delete the file from the 'Containment' list

If the admin changed the ratings of the application as trusted then he can hide the file from the list or it can be deleted from the list if the file is no longer needed.

 

The overall flow of Containment and Application Control: