Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 0 subscribers
  • Views 11861 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - General Query

isoffice

Hi All,

I have created a policy within Enterprise Console (5.2.1 R2) to detect (but allow to run) all applications that users on our network may be using. I am slightly concerned that this may result in the creation of large log files on the Enterprise Console Server.

Does anyone know where these events are logged and is it likely to impact on the performance of the Enterprise Console Server and/or the client PC? We have approximately 600 client PCs.

Any pointers on how long I should let this policy run or best practice in this area would be much appreciated.

Many thanks,

JP

:50022


This thread was automatically locked due to age.
  • 0

    Hello JP,

    alerts and events are stored in the database - no logs are created. While this has some impact monitoring for a limited time (a few days) shouldn't be a problem given the number of endpoints.BTW: You can scan for the applications present on the endpoints with a scheduled scan.

    Perhaps you should assign the policy to a typical group of computers to see how many events are created. You'll likely want to authorize your frequently used and permissible "standard" applications (browser, PDF Viewer, Office suite) before assigning the policy to all your endpoints to reduce the number of events.

    Please also note that Detect but allow to run is a global setting - thus you can't monitor a certain type and block another. Feel free to ask if you have more questions.

     Christian

    :50026
  • 0

    Hi Christian,

    Thank you for your prompt reply. It has given me a much better idea on how to shape any Application Control policy we may wish to deploy to our client PCs in the future. I'm currently in a testing phase and I'm feeling out the capabilities of the various policies which can be imposed on our network PCs.

    One other thing though. As I'm detecting the applications, but still letting them run, I can see entries in the endpoint PC's Quarantine area in the SAV GUI. If I return everything back to it's previous state, i.e. Application Control disabled, will these entries be flushed from Quarantine?

    Many thanks for your time and assistance,

    JP

    :50032

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0

    Hello JP,

    Application Control disabled ... will these entries be flushed from Quarantine?

    dunno, never checked ... sooo ...  no! It's not disabling Application Control which will remove these entries, but Authorizing the application does (whether AppC is enabled or not). 

    Christian

    :50034
  • 0

    Hi Christian,

    Thanks for the input. Will definitely bear that in mind when putting together an Application Control Policy.

    Best regards,

    JP

    :50042

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Unfiltered HTML