Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Trusted Directory Usage and Limitations

App Control: Trusted Directory Usage and Limitations

Environment

App Control Server: All Supported Versions
App Control Agent: All Supported Versions

Question

How do Trusted Directories work and what are they used for?

Answer

Trusted Directory usage is intended to augment the default deny capability of the App Control product.  It is intended to approve executable's in situations where a Custom Rule will not suffice to issue a Local Approval for a binary.  It is not intended as a way to catalogue the potential list of approved binaries used in an organization.  Large scale catalogue of hashes is already preserved on the server without using a Trusted Directory.  If a list of explicitly trusted binaries is desired, there are ways to obtain that using Custom Rules and reports on the App Control Server.
 
On an endpoint that crawls the Trusted Directory, the binaries in that Trusted Directory are actually catalogued twice:
  • Once to store in the Agent 's cache as an identified binary that resides on the local system.
  • Once as a trusted binary to report to the Server.  
The Agent must send each entry of a Trusted Directory to the Server as a report, and the Server must report that entry back to the Agent as a Hash Rule.

The information associated with a single cache entry, its hashes, metadata, approval state, discovery reason, etcetera can be upwards of 2 Kb of data.  The information to store the trusted binary report to the Server and the resulting Global Approval Rule can be upwards of 250 bytes.  This is reflected by the observation of the Trusted Directory crawler Agent on an endpoint, where it is consuming a large amount of Virtual Memory and has a total cache size (both database files and intermediate journaling files) that can be around the same size  With Agent tables of this size, query times drop to the level that cause a rise in contention.  As the Agent continues scanning entries from the Trusted Directory, it creates a large backlog of entries that add to the overall contention of the daemon.  The large memory consumption that results will further degrade performance as the process spends a large percentage of time page faulting. 
 
Even if the Trusted Directory Crawler Agent were able to scan an enormous amount of files (1 million files as an example) and report those to the Server; the implication is 250 Bytes x 1 million, or 250MB per endpoint minimum. Just to store the Global Approval Rules.  This could cause performance problems in general for all endpoints connected to that Server.
 

Additional Notes

  • WIM files tend to be extremely large, scanning them will consume an inordinate amount of Disk Space/CPU Usage.
  • If scanning/approving WIM files is required, reference Pg 174 of the User Guide discussing 'Enabling Trusted Directory Approval of WIM Files'
  • Trusted Directory will approve files in both "Visibility" and "Control" modes. It will however not function if the enforcement of the agent it resides on is set to "Disabled"
  • Trusted Directories can only be configured on "permanently attached fixed media"
  • A Windows Agent will not find executables for other operating systems as, "Interesting" and an Agent will need to be configured for each Operating System in use.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-19-2018
Views:
1757
Contributors