Managing Apps in White Cloud Security
A brief guide about the day to day basis managing applications.
Blocked Apps
We see that we have four alerts in one of our subgroups. Click the "Blocked Apps" button.
Now, you are presented with alerts related to programs that were blocked in one of your systems at the subgroup "ziggy test". You can also access the Blocked Apps menu by clicking the red lock at the top of the menu.
A brief note about Blocked Apps Exceptions: When a program is blocked, it usually means that you are in Blocking Mode and because this program is not added to your Trust-List.
Monitor Mode Exceptions
Click "MONITOR MODE EXCEPTIONS" to navigate to the exceptions menu.
You are now at the Monitor Mode Exceptions menu, in this case this computer does not display any alerts right now.
A brief note about Monitor Mode Exceptions: Monitor Mode Exceptions are alerts generated by programs which are not approved in your Trust-List nor inherited by your Security Group, but the distinction from Blocked Apps, is that the blocked apps are blocked instantly and you have to unblock them for them to run. A Monitor Exception is not blocked; it is just a policy alert for an active program.
Monitor Mode Exceptions are examples of what an Intrusion Detection System(IDS) would do, i.e. alerting the administrator, but not taking any action.
Blocking Mode Exceptions are examples of what an Intrusion Prevention System(IPS) would do; taking action and blocking malicious traffic proactively.
Trusted Apps Run History
This is the "Trusted Apps Run History" button, that will show you in real time what programs are being executed in your system or systems. It is very useful if you trust a CERT and you want to know what program is connected to that cert by filtering by CERT Thumbprint or CERT Name.
Trusting an App
We want to trust Spotify.exe, but we do not want to trust the certificate. Click in the app alert.
Click "App", to trust this file through its handprint. By trusting a program as an app, we are trusting that individual file only, unlike trusting a certificate, which includes trusting all the apps that are signed with that same certificate.
Click "Show More Edit Options" to introduce more details.
Click the "Enter a Description" field to enter a "Description" and a "Home Page URL".
Click "Trust This App" to add this program to your Trust-List.
Click "Show Trust-Lists" to access to your Trust-List.
Click "Apps" to expand the trusted apps items in your Trust-List.
Here is the program just trusted as an "App", including the description added by the administrator. Click on it to see more details.
Scroll down and click the name of the program to see more information and options for research, analysis and more.
Here is the new menu that now contains more information such as the file length, name, and the file directory. You can also navigate to VirusTotal for further analysis.
Distrusting an App from your Trust-List
Click "Distrust" if you decide that you do not want this app trusted in your Trust-List anymore. This means that if you are in Blocking Mode, your users in this group will not be able to use this app.
Removing an App from your Trust-List
Click "Disable App" if you want to remove this app from your Trust-List completely.
Click "Disable It"
Trusting Installers
Click "Installer" if you are going to install a program, usually if you trust an installer as an app, the installer might be limited and it might fail (Not always the case) if one of its components is blocked during setup, the installer options allows you to add depth to trust its children.
Click the "Depth" field to adjust the depth. Usually, 6 levels of depth works well.
Click "Trust as Installer" after you have selected the source of your trust from the dropdown menu.
Trusting Children
Programs tend to use many components to operate well on a system, and usually if those files are blocked it will prevent the "Parent" program from running well, or at all. In this case, we have a .dll file that depends on the program called "PhoneExperienceHost.exe" from Microsoft to run. Other example is Adobe software that uses a lot of JS files as their child processes. Click on "As Trusted Child" to see more information.
We can see more information about the Parent App. You can click it to see more information about if it has been trusted in the past by someone else in your Trust-List, where its trust is coming from and more.
Now, if you decide to trust the Parent App you have to be aware that by trusting the Parent App you will automatically trust all of those components that came with it and were blocked.
Click "Auto-Trust Children" if you want to move forward and add this Parent App to your Trust-List.
Click "Trust its Children"
Click "Show Trust-Lists" and then click "Apps" to expand your Trust-List.
You just added a new app to your Trust-List. Click to see more information.
Notice that you will only see the Parent App and its CERT instead all the components that came with it.
Monitored Children
What is a Monitored Child? Simply stated, Monitored Child includes those programs that will run in Monitor Mode even if the system is protected.
Monitored Children operate with only one level of depth and all Monitored Children apps are reported to the service by the WCS Agent. They are recorded as Monitored Children and allowed to run, even in Blocking Mode.
One major difference between Monitored Children and Trusted Children is that once an endpoint picks up the Trust Policy for the Handprint for a Parent App, the WCS Agent will not report Trusted Children to the service until they exceed the depth level setting for that Parent.
Click "As Monitored Child" to introduce more information.
Click "Monitor Children"
Click "Show More Edit Options"
You can scroll and see where this app is located.
Click the "Enter a Description" field.
Click "Monitor Children" if you want to add this program as a "Monitored Children".
Creating Reports
If you want to have a report of your blocked apps, you can click the "Download" button to download a report of your blocked items in that subgroup.
Export Fingerprints
Click "Export" if you want to download the fingerprints of your blocked list, it could be useful if you want to import those fingerprints into another group.
Trust Apps Menu
Click "Trust Apps" to see all of your apps in your list right now. You can trust signed and unsigned apps in this section.
I want to trust everything that comes from Google Chrome, so I select Google.
I also want to trust the ChromeSetup.exe program down below.
After I filled up the information, I will choose if I want it trusted immediately after I upload it to the Trust-List or any of the options given by the dropdown.
Click this "Upload", after you chose where to upload the trust.
If you go to your Trust-List, you will see that Google Chrome was added together with all of the files you selected to this new Trust-List item.
Types of Blocks
Now, let say that you want to block an app permanently or temporary, we click on the red lock on the app options menu.
Stop for Host and Stop for Group (Soft Block): This kind of block is not permanent, it will last only a certain amount of time, but it has the same impact as a hard block. You could block an app in one computer only or in the entire group.
Malware, Denied, and Distrusted (Hard Block): This kind of block is permanent and it will block a program even if you are in Monitor Mode (No Protection). The difference with Soft Block and Hard Block is that the Hard Block will propagate to all of your groups below the one you add the trust to. For example, if you add it to the top of your inheritance tree, it will apply to all groups within that tree, which is something the Soft Block will not do.
Archiving Apps
If you want to clear your list of alerts, you can do it in two ways. You can clear alerts individually by clicking the button that shows up when you hover over the zone selected by the blue arrow in the image down below.
Right click over the "Archive" button will show you different archive options to choose:
Archive This App's Events: It will archive events for only that specific app.
This app and All Older Events: It will archive all the alerts in the list.
Archive This App's Events for Host: It will archive app events for that computer specifically.
This App and Older Events for Host: It will archive all the apps and older events for that specific computer.
Click "Archived" if you want to see all the alerts you archived.
Click the "Live" radio button or dropdown, depends of your preference to see your live events that have not been archived.
App List Date Range
If you need to go back in time and see what apps you archived or what apps were in the blocked apps or monitor mode events you can use the calendar functionality to set specific dates.
The second element is the button "Open Pivot Table" which we will cover next.
Pivot Table
The Pivot Table is incredibly useful when you have to deal with hundreds or even thousands of events at a very fast pace (Ideal for Incident Responders) that want to map a potential threat). When time is critical and limited, the Pivot Table will allow you to organize and filter large varieties of information. To your left (Blue Zone) you have tags that you can drag and drop to the white zone to display their information contained in each tag.
Note: The Pivot Table uses all of your alert list, which can include your Blocked Apps or your Monitor Mode Exceptions list.
You can get extremely detailed about every single piece of information you want to filter, making the Pivot Table a very valuable and very powerful tool. You can also filter through every tag with the help of their individual arrows. In the next section we will show you what that looks like.
In this case we are filtering by CERT Name allowing us to see all of the CERTs present. I want to see only the Google apps signed by Google, so I uncheck the "Google LLC" checkbox.
Then I click "Invert and Apply" to uncheck everything and only check "Google LLC".
Using filters, we now see ONLY the apps signed by Google LLC, and, in this example we are looking at "Blocked" events from the subgroup "ziggy test". Using tags, we can see a lot of information about this google app and where it has been used. These Google apps were seen in DESKTOP-D1F5EE5 at the subgroup ziggy test, its Parent App is updater.exe, we see the pathnames where this happened, by which end user, if any of those files have any hits in VirusTotal(vtPositives), where the Parent App is located, and more. You can also use the "Refresh Table" button to refresh your table and reflect what you have in your Monitor Mode or Blocked Apps list.
Click "Reload It!". If you were checking 200 alerts and suddenly you noticed that you had 300 more alerts back in your alert list, you can click "Refresh Table" and then click "Reload it!". Those new 300 alerts will be immediately fed into your existing Pivot Table. (This process it is not automatic)
Recently Viewed Subgroups
If you need to go quickly to one of the groups that you recently checked, we record your recently viewed subgroups, allowing you to quickly navigate through your subgroups. This list does not persist if you close your session.