Endpoint Central's Application Control provides a robust layer of security by restricting the execution of unauthorized applications. This document delves into the specifications of the agent processes and the core mechanisms behind Application Control, helping you understand how it safeguards your endpoints.
| Agent Process | Running Application Name | Bandwidth Consumption (Approximately) | CPU Consumption (Approximately) | Memory Consumption (Approximately) |
|---|---|---|---|---|
| Application Processing server | Verifytrustedfiles.exe | Will download the configuration in the dcconfig exe | 0.25-0.3% | 30 MB |
| Application Scanner | Dcprocmon.exe | 100-200 KB | 0.3% | 6-24 MB |
| Process Notifier | AppCtrlToast.exe | NA | 0-1% | 20 MB |
| ACP Driver Control | DriverCtrl.exe | NA | 0-0.18% | 1-2 MB |
| ACP Privileger | Privilager.exe | NA | 0-1.4% | 1-1.5 MB |
| Component Upgrade | dcconfig.exe | 3.5 MB | 0-1% | 1 MB |
After agent installation, a one-time scan is initiated. It identifies and collects verified .exe files located within the Program Files and Program Files (x86) directories and the running processes. The duration of the scan is influenced by the number of applications installed on the endpoint. The gathered data becomes readily accessible in the web console. Once an application control policy is deployed, running applications are continuously monitored. Newly installed applications will only be detected if a policy is in place. The central server automatically removes applications inactive for 90 days.
When an Application Control policy is created, it is deployed in the following two options:
Policy modifications, deletions, group changes, and unmanaged application updates are synchronized with agent machines during refresh cycles. In environments with a Distribution Server, policies and configurations are replicated to the Distribution Server and then synchronized with agent machines during the 90-minute refresh cycle.
When a user requests access to an unmanaged application, a request is immediately sent to the server for administrator approval. Once approved, the application will be accessible to the user immediately.
The Application Control policy will be received in the agent and is enforced by the kernel mode driver named acp_driver. The driver filters through the newly created processes and allows only the authorized applications to run according to the deployed policy. The policy will be enforced on the .exe and .msi applications. The audited and blocked application events will be posted in the 90-min refresh cycle.
When conflicting allowlist and blocklist policies are applied to the same target group, the blocklisted applications have higher precedence over the allowlisted applications. The following is the order of precedence:
For Example: If the application Google Chrome is associated with an allowlist and a blocklist, the application will be blocked in the target machines.
When a target machine is a member of multiple custom groups, one with Audit mode and another with Strict mode, the machine will be deployed with Strict mode.
Just-In-Time policies provide time-bound access provision for specified applications. The driver facilitates the execution of these applications on deployed machines, with access being automatically terminated after the specified duration.
