Re: Endpoint Protection - App Whitelisting?

[Rich Graves <rcgraves () BRANDEIS EDU>]

I could not recommend campus-wide AppLocker deployment without a
comprehensive central logging setup. You can't let your alerting mechanism
be help desk calls. It needn't be expensive, just pick one: winlogbeat to
logz.io or loggly, built-in Windows event forwarding to a central server
(see Jessica Payne's walk-through), or Splunk/ELK if you have it. You
should start gathering audit-only data from *all* users immediately.
Central collection of eventid 8003 events helps build the policy and can
alert you to malware. Then start enforcing in phases, starting with IT, HR,
and other higher-risk departments.

At my last job, to reduce the inconvenience especially for power users, we
openly supported self-service AppLocker bypass via a path rule. Move your
program to a special directory, and it will run. The whitelisted directory
is not posted on the open web, but it's fairly openly shared, since clients
can enumerate the applicable AppLocker policy anyway. Abuse is fairly easy
to identify because eventid 8002 includes the rule name.