How can I verify the version of Application Control or Change Control through the registry?
The Application Control or Change Control version is contained in the following registry key entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{432DB9E4-6388-432F-9ADB-61E8782F4593}\DisplayVersion
What's new in Application Control 6.2.0 Policy Discovery?
What's new in 6.1.2 Observation mode?
Back to top
The Application Control or Change Control version is contained in the following registry key entry:
What's new in Application Control 6.2.0 Policy Discovery?
- Site administrators can view and take an action only for the Policy Discovery requests coming from their hosts. They can't take an action from hosts that the logged-on user does not have access to.
- Observations are now generated for network path-based file operations. Administrators can discover trusted directory policies for these observations. The observations received from network shares are listed on the Policy Discovery page with the activity Network Path Execution.
- New features for Policy Discovery to facilitate better management of the Policy Discovery requests:
- The Policy Discovery page now has more filters on activity, trust level, and system name.
- Administrators can now set custom policy rules other than rules suggested by the Policy Discovery, Actions, Create Custom Policy option. For this purpose, all policy tabs are now visible. A new action
Clear and define rules has been added. These action request details are now available on the Create Custom Policy page. - On the Policy Discovery details page, a binary checksum is shown in the Binary Properties section.
- The columns User Name, Host Name, and Binary Path have been added to the Policy Discovery details page. Also, Quick find on Host Name has been added.
- Administrators can create custom policy rules from threat events directly. For this purpose, a Create Custom Policy action is shown corresponding to events. These events include write denied, execution denied, package change prevented, and memory protection events. From this action, administrators can review the event details and create policy rules accordingly.
What's new in 6.1.2 Observation mode?
- Observation mode feature improvements for scalability from this release.
- Policy Discovery page for creating policies for both Observations and Self-Approval events.
- Key changes in the Observation mode menu option:
- The Self-Approval and Observation mode UI have been merged to create a single Policy Discovery page.
- Observation and Self-Approval for the same application has one policy candidate entry. You can drill down on a specific row to check for Self-Approval requests or Observation details.
- The Observation mode feature has been substantially improved for scalability in this release. Administrators will notice a reduction of observations and improved quality.
- Changes affecting the workflows around this feature:
- The Observation mode menu item is now Deprecated.
- Rule discovery analysis is now done at endpoints to make sure that only the needed events are delivered to ePolicy Orchestrator.
- The Process Tree is not available in the Policy Discovery user interface (UI). Process tree (Process Created) creation events were among the primary contributors to observations in previous versions of Application Control.
- Identical events (for the same binary and activity) from multiple hosts are consolidated into a single row in Policy Discovery. Consolidating the events allows for efficient processing of requests and reducing overhead. This consolidation impacts the Policy creation mechanism from the Events page that was available in previous releases.
- The focus is now changed to discover Policy candidates that are the
change agent for allow list content. Doing so makes sure that the right processes are granted the Updater permission. Instead of seeing observations forEXECUTION_DENIED events for new files, equivalent events are seen for file additions to the allow list. - Observations are not generated for network path-based file operations.
- Temporary
execution allow rules are created on first invocation of new content. These rules prevent generation of new observations on repeat executions. - A caching mechanism has been implemented for Enable mode so that repeated observation requests are not generated for the same binary.
- Renamed the Global Self-Approval Rules rule group to Global Rules.
- Deprecated multiple rule groups related to the old Observations implementation and added the suffix Deprecated to the rule group names. For example, Global Observation Rules (Deprecated).
Back to top