App Control: Trusted Directory Usage and Limitations

App Control: Trusted Directory Usage and Limitations

Environment

App Control Server: 7.x - 8.x
Microsoft Windows Server: All Supported Versions
Linux: All Supported Versions

Question

How do Trusted Directories work and what are they used for?

Answer

Trusted Directory usage is intended to augment the default deny capability of the App Control product.  It is intended to approve executable's in situations where custom rules will not suffice to locally approve a binary.  It is not intended as a way to catalogue the potential list of approved binaries used in an organization.  Large scale catalogue of hashes is already preserved on the server without using a TD.  If a list of explicitly trusted binaries is desired, there are ways to obtain that using custom rules and reports on the server.
 
On an endpoint that crawls the trusted directory, the binaries in that trusted directory are actually catalogued twice.  Once to store in the agent cache as an identified binary that resides on the local system and then again as a trusted binary to report to the server.  The agent must send each entry of a TD to the server as a report and then the server must report that entry back to the agent as a Hash Rule. The information associated with a single cache entry, its hashes and metadata, approval state, discovery reason, etc can be upwards of 2 Kb of data.  The information to store the trusted binary report to the server and the resulting global approval rule can be upwards of 250 bytes.  This is reflected by the observation of the Trusted Directory crawler agent on an endpoint  where it is consuming a large amount of Virtual Memory and had a total cache size (both db files and intermediate journaling files) that can be around the same size  With agent tables of this size, query times drop to the level that cause a rise in contention.  As the agent continues scanning entries from the Trusted Directory, it creates a large backlog of entries that add to the overall contention of the daemon.  The large memory consumption that results further degrades performance as the process spends a large percentage of time page faulting. 
 
Even if the Trusted Directory crawler agent were able to scan an enormous amount of files (1 million files as an example) and report those to the server, the implication is 250 bytes x 1 million, or 250Mb per endpoint minimum just to store the global approval rules.  This could cause performance problems in general for all endpoints connected to that server.
 

Additional Notes

  • WIM files tend to be extremely large, scanning them will consume an inordinate amount of Disk Space/CPU Usage.
  • If scanning/approving WIM files is required, reference Pg 174 of the User Guide discussing 'Enabling Trusted Directory Approval of WIM Files'
  • Trusted Directory will approve files in both "Visibility" and "Control" modes. It will however not function if the enforcement of the agent it resides on is set to "Disabled"
  • Trusted Directories can only be configured on "permanently attached fixed media"

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-19-2018
Views:
1324
Contributors