Environment
- App Control Agent: 8.7.4 and Higher
- App Control Console: All Supported Versions
Objective
Configuring App Control to work with App Volumes
Resolution
Create the following Agent Config: to apply automatic detection configuration to all of your endpoints:
- Log in to your App Control Console.
- Navigate to: https:// YourServer/agent_config.php
- Click Add Agent Config and enter the following details:
- Property Name: appstack_autoapprove
- Host ID: 0
- Value: appstack_autoapprove=1
- Status: Enabled
- Save.
In order to prevent attackers from making standard drives appear to be App Volumes, circumventing the default deny capabilities of App Control, it is recommend that you enable the VMware App Volumes Protection Rapid Config. This Rapid Config prevents users from creating junction points under c:\SnapVolumesTemp\MountPoints\
Writable Volumes and App Volume Configuration:
When App Volumes applications are present on the desktop, all writes that are happening on the desktop to any files and the registry are redirected to a writable volume. In the absence of a writable volume, an implicit writable volume (a scratch space) is created on C:\{00000000-0000-0000-0000-000000000000}\SVROOT that will keep all the changes. This may have a negative effect on the path-based approvals. Modified files will not be approved after virtualization is started because the actual file path will be different from the approved path.
App Control does not support Writable Volumes. It is important to prevent the App Control agent database from becoming corrupted. To do this you will need to exclude App Control from being copied to a Writable Volume. In the App Volumes snapvol.cfg file typically found in either (per this KB):
%SVAgent%\Config\Default\snapvol.cfg
%SVAgent%\Config\Custom\snapvol.cfg
Please add the following:
# Parity
exclude_path=\ProgramData\Bit9
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ParityDriver
Additional Notes
The property, "appstack_autoapprove=1" enables the Agent to automatically detect AppStacks. When enabled, the Agent allows all interesting files within the AppStack volume to execute. This means that all App Control rules are ignored on the AppStack volume. The assumption is that the AppStack is a Gold Image of applications that the organization wants to allow to run in the environment and should therefore be allowed to execute.
By default, when the Agent detects a new volume, it automatically scans the volume for files, hashes those files, and then sends data about the files to the App Control Server. This has a performance impact on the machine, and would happen each time the AppStack is loaded. Because of the nature of AppStack volumes and App Control’s scanning of newly detected files, App Control defaults to not scanning the AppStack volume. This is the recommended configuration. If you prefer to have files scanned on every instantiation of the AppStack, you must create a configuration property using the following settings: (
IMPORTANT: This is
NOT recommended)
- Navigate to https:// YourServer/agent_config.php
- Add a new configuration with the following settings:
- Property Name: appvolume_enablescan
- Host ID: 0
- Value: appvolume_enablescan=1
- Status: Enabled
- Save.
