DP MMC Administration 5 1 95 0

Defendpoint Management Console
Administration Guide
Software Version: 5.1.95.0 GA
Document Version: 1.0
Document Date: January 2018
Defendpoint Management Console 5.1.95.0 GA

Document v.1.0
Copyright Notice
The information contained in this document (“the Material”) is believed to be accurate at the time of printing, but no
representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Avecto
Ltd, its associated companies and the publisher accept no liability whatsoever for any direct, indirect or
consequential loss or damage arising in any way from any use of or reliance placed on this Material for any
purpose.
Copyright in the whole and every part of this document belongs to Avecto Ltd (“the Owner”) and may not be used,
sold, transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to any
person other than in accordance with the terms of the Owner’s Agreement or otherwise without the prior written
consent of the Owner.
Accessibility Notice
In the event that you are unable to read any of the pages or documents on this website, please contact us and we
will arrange to get an accessible version to you.

Document v.1.0
Table of Contents
Chapter 1 - Introduction 8
Chapter 2 - Installation and Deployment 9
2.1 - Planning and Preparation 9
2.1.1 - Defining User Roles 9
2.1.2 - Implementing Least Privilege 9
2.2 - Defendpoint Installation 10
2.3 - Upgrading Defendpoint 11
2.3.1 - Planning Your Deployment 11
2.3.2 - Recommended Steps 12
2.3.3 - Frequently Asked Questions 12
Chapter 3 - Navigation and Licensing 14
3.1 - Launching the Defendpoint Policy Editor 14
3.2 - Licensing 14
3.2.1 - Inserting licenses 14
3.3 - Navigating the Policy Editor 15
3.3.1 - Defendpoint Naming Conventions 15
3.3.2 - Automatic Saving 16
Chapter 4 - Policies and Templates 17
4.1 - Users 17
4.2 - Policies 17
4.3 - Templates 18
4.4 - QuickStart 18
4.4.1 - QuickStart Policy Summary 19
4.4.2 - Customizing the QuickStart Policy 22
4.5 - Discovery 22
4.6 - Server Roles 23
4.7 - Trusted App Protection (TAP) 24
4.7.1 - Trusted Application Protection Policies Summary 24
4.7.2 - Trusted Application Protection Precedence 26
4.7.3 - Modifying the Trusted Application Protection Policies 26
4.7.4 - Trusted Application Protection Reporting 28
Chapter 5 - Workstyles 29
5.1 - Workstyle Wizard 29
5.2 - Creating Workstyles 30
5.2.1 - Disabling / Enabling Workstyles 30
5.2.2 - Configuring Sandboxing Settings 30
5.2.3 - Workstyle Precedence 31
5.3 - TAP DLL Control Summary 31
5.3.1 - Configuring Trusted Application Protection DLL Control 31
5.4 - Filtering Workstyles 34
5.4.1 - Account Filters 34
5.4.2 - Computer Filters 35
5.4.3 - Time Range Filters 36
5.4.4 - Expiry Filters 37
5.4.5 - WMI (Windows Management Information) Filters 37
Chapter 6 - Managing Applications 39
6.1 - Hiding and Showing Application Groups 39
6.2 - Creating Application Groups 39

Document v.1.0
6.3 - Inserting Executables and Scripts 39
6.4 - Inserting ActiveX Controls 41
6.5 - Inserting Installer Packages 41
6.6 - Inserting Uninstaller (msi or exe) 43
6.7 - Inserting COM Classes 43
6.8 - Inserting Windows Store Applications 45
6.9 - Inserting Windows Services 45
6.10 - Advanced Options 46
6.11 - Inserting Applications from Templates 47
6.12 - Inserting an Application from a Running Process 47
6.13 - Inserting Applications from Events 48
6.14 - Inserting Applications from an Event Log 49
6.15 - Inserting Applications from Enterprise Reporting 49
Chapter 7 - Remote PowerShell Management 50
7.1 - End User Messaging 50
7.2 - Remote PowerShell Scripts 50
7.3 - Remote PowerShell Commands 51
Chapter 8 - Application Rules 53
8.1 - Inserting an Application Rule 53
Chapter 9 - On-Demand Application Rules 55
9.1 - Enabling On-Demand Integration 55
9.2 - Managing Languages 56
Chapter 10 - Content Control 57
10.1 - Creating Content Groups 57
10.1.1 - Content Group Description 57
10.1.2 - Inserting Content 58
10.1.3 - Target Content Definitions 58
10.2 - Content Rules 58
10.3 - Inserting a Content Rule 58
Chapter 11 - General Rules 60
11.1 - Prohibit Privileged Account Management 60
11.2 - Collect User Information 60
11.3 - Collect Host Information 61
11.4 - Windows Remote Management Connections 61
Chapter 12 - End User Messaging 62
12.1 - Creating Messages 62
12.1.1 - Message Name and Description 63
12.1.2 - Message Design 63
12.1.3 - Message Text 66
12.1.4 - Managing Languages 67
12.1.5 - Image Manager 67
12.1.6 - Challenge / Response Authorization 68
12.1.7 - Challenge Response Designated User Option 71
12.2 - Message Notifications 71
12.2.1 - Setting the Notification Text 71
12.2.2 - Setting ActiveX Message Text 72
Chapter 13 - Custom Tokens 73
13.1 - Creating Custom Tokens 73
13.2 - Editing Custom Tokens 73
13.2.1 - Groups 73

Document v.1.0
13.2.2 - Privileges 75
13.2.3 - Integrity Level 75
13.2.4 - Process Access Rights 75
Chapter 14 - Advanced Configuration Settings 77
14.1 - Privilege Monitoring 77
14.1.1 - Workstyle Options 77
14.1.2 - Events 77
14.1.3 - Privilege Monitoring Log Files 78
14.2 - Signing Defendpoint Settings 78
14.2.1 - Creating and Editing Signed Settings 78
14.2.2 - Defendpoint Client Certificate Mode 80
14.2.3 - Client Installation Mode Parameters 80
14.2.4 - Behavior when Failing to Verify Policy Certificate 81
14.3 - Advanced Agent Settings 81
Chapter 15 - Exporting and Importing Defendpoint Settings 83
15.1 - Exporting and Importing Settings 83
Chapter 16 - Deleting Defendpoint Settings 84
16.1 - Deleting Items and Conflict Resolution 84
Chapter 17 - HTML View and Report 85
Chapter 18 - Deploying Defendpoint Settings 86
18.1 - Group Policy Management 86
18.1.1 - Creating Defendpoint Settings 86
18.1.2 - Defendpoint Settings Scope 88
18.1.3 - GPO Precedence and Inheritance Rules 88
18.1.4 - Order of Processing 88
18.1.5 - Exceptions to Default Order of Processing 89
18.1.6 - Defendpoint Settings Storage and Backup 89
18.1.7 - Disconnected Users 89
18.2 - Standalone Management 90
18.3 - PowerShell Management 90
18.3.1 - Windows PowerShell Execution Policy 91
18.3.2 - Executing PowerShell Configurations 91
18.4 - Webserver Management 91
18.4.1 - Deploying Workstyles via Web Services 91
18.4.2 - Webserver Enabled Client Installation 92
18.4.3 - Enabling Webserver Policy Download via the Registry 93
18.5 - Configuration Precedence 93
18.6 - Deployment Methods 94
Chapter 19 - Auditing and Reporting 95
19.1 - Process Events 95
19.2 - Configuration Events 97
19.3 - Content Events 98
19.4 - Auditing with Custom Scripts 98
19.5 - Defendpoint Reporting Console 100
19.5.1 - Auditing Report 101
19.5.2 - Privilege Monitoring Report 102
19.5.3 - Diagnosing Connection Problems 103
19.6 - Defendpoint Activity Viewer 103
Chapter 20 - Defendpoint Client 104
20.1 - Installing the Defendpoint Client 104

Document v.1.0
20.1.1 - Client Packages 104
20.1.2 - Unattended Client Deployment 104
20.1.3 - Defendpoint Client Certificate Mode 105
20.2 - Avecto End User Utilities 105
20.2.1 - Avecto Network Adapter Manager 105
20.2.2 - Avecto Printer Manager 106
20.2.3 - Avecto Programs and Features Manager 107
Chapter 21 - Troubleshooting 108
21.1 - Resultant Set of Policy 108
21.1.1 - Group Policy Modelling 108
21.1.2 - Group Policy Results 108
21.2 - General Troubleshooting Tips 109
21.2.1 - Check Defendpoint is installed and functioning 109
21.2.2 - Check Settings are Deployed 109
21.2.3 - Check that Defendpoint is Licensed 109
21.2.4 - Check Workstyle Precedence 109
Appendix A - Appendices 111
A.1 - Built-in Groups 111
A.2 - Target Definitions 111
A.2.1 - ActiveX Codebase 112
A.2.2 - ActiveX Version 112
A.2.3 - AppId 112
A.2.4 - Application Requires Elevation (UAC) 112
A.2.5 - Application Requires Elevation (UAC) (Supported on 'Install' only) 112
A.2.6 - Avecto Zone Identifier 112
A.2.7 - CLSID 112
A.2.8 - COM Display Name 113
A.2.9 - Command Line 113
A.2.10 - Controlling Process 113
A.2.11 - Drive 113
A.2.12 - File or Folder Name 114
A.2.13 - File Hash (SHA-1 fingerprint) 114
A.2.14 - File Version 114
A.2.15 - Parent Process 114
A.2.16 - Product Code 115
A.2.17 - Product Description 115
A.2.18 - Product Name 115
A.2.19 - Product Version 115
A.2.20 - Publisher 115
A.2.21 - Service Action 116
A.2.22 - Service Name 116
A.2.23 - Service Display Name 116
A.2.24 - Source URL 116
A.2.25 - Trusted Ownership 117
A.2.26 - Upgrade Code 117
A.2.27 - Windows Store Application Version 117
A.2.28 - Windows Store Package Name 117
A.2.29 - Windows Store Publisher 118
A.3 - Signing Defendpoint Settings with Certificates 118
A.3.1 - Creating a PFX file suitable for use with Defendpoint 118
A.3.2 - Using Certificate Template in a Certificate Request 119
A.3.3 - Creating a Defendpoint Configuration Certificate Template 120
A.3.4 - Issuing the Defendpoint Configuration Certificate Template 121

Document v.1.0
A.3.5 - Distributing Public Keys 122
A.4 - Using Defendpoint with McAfee ePO 122
A.4.1 - Prerequisites 122
A.4.2 - Manual Installation of Defendpoint Agent in ePO Mode 122
A.4.3 - Disabling ePO Mode 122
A.5 - Workstyle Parameters 123
A.6 - Automating the Update of Multiple GPOs 125
A.7 - Environment Variables 125
A.8 - Regular Expressions Syntax 126
A.9 - Example PowerShell Configurations 127
A.9.1 - Create New Configuration, Save to Local File 127
A.9.2 - Open Local User Policy, Modify then Save 130
A.9.3 - Open Local Configuration and Save to Domain GPO 130
A.10 - Application Templates 130
A.10.1 - Creating Custom Application Templates 131
A.11 - Rule Precedence 132
A.12 - Trusted Application Protection Blacklist 132

Document v.1.0
Chapter 1 - Introduction
Defendpoint combines privilege management and application control technology in a single lightweight agent. This
scalable solution allows global organizations to eliminate admin rights across the entire business – across
Windows and Mac desktops and even in the data center.
Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards and
trend data for auditing and compliance.

8 of 133
Document v.1.0
Chapter 2 - Installation and Deployment
2.1 - Planning and Preparation
2.1.1 - Defining User Roles
Before deploying Defendpoint, you should spend some time preparing suitable workstyles for your users.
Implementing least privilege may require workstyles to be tailored to users’ roles.
The table below shows three typical user roles, but we recommend that you create roles that are tailored to your
environment.
Role Requirement for Admin Rights

Standard Corporate Applications that require admin rights to function, and simple admin tasks.
User
Laptop User Flexibility to perform ad-hoc admin tasks and install software when away from the
corporate network.
Technical User Complex applications and diagnostic tools, advanced admin tasks and software
installations.
Defendpoint can cater for all types of users, including the most demanding technical users such as system
administrators and developers.
You should also educate users on what they should expect from a least privilege experience, before transferring
them to standard user accounts. This ensures that they will report any problems they encounter during the process
of moving to least privilege.
Contact your solution provider or Avecto to gain access to templates to cater for more complex use case
scenarios.
2.1.2 - Implementing Least Privilege

The first step is to identify the applications that require admin privileges for each of the roles you’ve defined. These
can fall into one of three categories:
1. Known Admin Applications – You already have a definitive list of applications that require admin rights to
run.
2. Unknown Admin Applications – You are not sure of the applications that require admin rights to run.
3. Flexible Elevation – The user will require flexibility and can’t be restricted to a list of applications.
Known Applications
For this category you should add the relevant applications to the Defendpoint application groups for the users,
which will automatically elevate these applications when they are launched. You can then remove admin rights
from these users. See Managing Applications detailed on page 39 for more information.

9 of 133
Document v.1.0
Unknown Applications
For this category you have two choices to help you discover the applications that require admin rights:
1. Set up Defendpoint workstyles to monitor privileged application behavior. The Defendpoint audit logs will
highlight all of the applications that require admin rights to run. See Privilege Monitoring detailed on
page 77 for more information.
2. Set up Defendpoint workstyles to give the user the “on-demand” elevation facility, and instruct the user to
use this facility for any applications that fail to run once you have taken the user’s admin rights away. The
Defendpoint audit logs will highlight all the applications that the user has launched with elevated rights. See
On-Demand Application Rules detailed on page 55 and Privilege Monitoring detailed on page 77 for
more information.
You can use the audit logs to determine the relevant set of applications that you want to give admin rights to for
these users. See Managing Applications detailed on page 39 for more information.
Flexible Elevation
For this category you should set up Defendpoint workstyles that give the user an “on-demand” elevation facility,
which allows the user to elevate any applications from a standard user account. All elevated applications can be
audited, to discourage users from making inappropriate use of this facility. See On-Demand Application Rules
detailed on page 55 for more information.
2.2 - Defendpoint Installation

The Defendpoint management console is a Group Policy MMC extension snap-in and may be installed on any
number of administrator desktops or servers.
This guide assumes that you will be using Group Policy Management Console (GPMC), although
Defendpoint fully supports other methods of Group Policy deployment, such as the Local Group Policy
Editor. Ensure that you have the relevant Group Policy management tools installed on the desktop or server
where you will be installing the Defendpoint management console.
The Defendpoint installation is performed in two stages; first the Defendpoint Management Consoles, and then the
Defendpoint Client.
To install Defendpoint run the appropriate installation package:
l For 32-bit (x86) systems run DefendpointManagementConsoles_x86.exe

l For 64-bit (x64) systems run DefendpointManagementConsoles_x64.exe
1. The installation will detect if any prerequisites are needed. Click Install to install any missing
prerequisites.This may take a few minutes.
2. Once the prerequisites have been installed the Welcome dialog appears.
3. Click Next to continue. The Licence Agreement dialog appears.
4. After reading the license agreement, select I accept the terms in the license agreement and click Next to
continue. The User Information dialog appears.
5. Enter your name and the name of your organization and click Next to continue. The Destination Folder
dialog appears.
6. If you wish to change the default installation directory then click Browse and select a different installation
directory. Click Next to continue. The McAfee ePolicy Orchestrator dialog appears.

10 of 133
Document v.1.0
7. If you wish to evaluate Defendpoint with McAfee ePolicy Orchestrator, check the option McAfee ePolicy
Orchestrator Integration, otherwise leave this option unchecked. Click Next to continue. The Ready to
Install the Program dialog appears.
Defendpoint ePO Edition is a fully integrated edition of Defendpoint for use with McAfee ePO. It is
recommended that for evaluations with McAfee ePO, the Defendpoint ePO Edition is used, which is
available for download at Avecto.com.
2.3 - Upgrading Defendpoint

2.3.1 - Planning Your Deployment
Before upgrading any versions of Defendpoint or Privilege Guard software or existing settings, it is recommended
that you test your deployment in a pre-production environment. This will help mitigate any unforeseen compatibility
issues, and avoid disruption to the business.
In the following sections, all references to Defendpoint, by default also refer to Privilege Guard.
All Defendpoint MSI and EXE installers will automatically remove old versions of Avecto software when installed.
Therefore, it is not necessary to manually remove old versions prior to installation of new versions.
If you previously installed the Defendpoint client with a switch you must ensure that you upgrade the Defendpoint
client with the same switch. If you do not use the same switch the new installation parameters will apply and any
functionality relating to previous installation will be lost.
The Defendpoint Client guarantees backwards compatibility with previous versions of Defendpoint, but does not
guarantee forwards compatibility. Therefore it is recommended that all Defendpoint Clients are upgraded before
rolling out new versions of Defendpoint.
When upgrading Avecto software, it may be necessary for a reboot to occur in order to complete the
installation. When installing in silent mode, a reboot will occur automatically. Therefore it is recommended
that upgrades are performed out of core business hours, or during scheduled maintenance windows, to avoid
loss of productivity.

11 of 133
Document v.1.0
2.3.2 - Recommended Steps
Step 1: Upgrading Defendpoint Clients
To upgrade the Defendpoint Client manually, double-click DefendpointClient_x86.exe or DefendpointClient_

x64.exe on the target endpoint, and follow the installation wizard.
To upgrade the Defendpoint Client using a deployment mechanism, please see the steps in Installing the
Defendpoint Client detailed on page 104.
For larger deployments, Defendpoint Clients support mixed client environments as they are fully backwards
compatible with older versions of the Defendpoint settings. This allows for phased roll-outs of the
Defendpoint Client if this is preferred.
Step 2: Upgrading the Defendpoint Management Console
Once all Defendpoint Clients have been upgraded, the next step is to upgrade the Defendpoint Management
Console.
To upgrade the Defendpoint Management Console, please see the steps in Defendpoint Installation detailed on
page 10
Step 3: Upgrading Defendpoint Settings
Once the Defendpoint Management Console has been upgraded, the final step is to roll out new versions of the
Defendpoint Settings. Although Defendpoint Clients are fully backwards compatible with older versions of
Defendpoint Settings, this step is required if you wish to take advantage of any new features and enhancements in
Defendpoint.
Defendpoint Settings are automatically saved in the latest format each time a change is made. For details of
editing Defendpoint settings, please see to the steps in Group Policy Management detailed on page 86.
Once Defendpoint Settings have been upgraded, they cannot be downgraded. Therefore, it is recommended
that upgrading Defendpoint Settings is performed only after all Defendpoint Clients have been upgraded.
2.3.3 - Frequently Asked Questions

Can I install the 32-Bit Client on a 64-Bit endpoint?
No. The 32-Bit Client can only be installed on 32-Bit endpoints.
Can I install the 32-Bit Management Console on a 64-Bit endpoint?

Yes. The 32-Bit Management Console can be installed on 64-Bit endpoints if required. However, you will not be
given the option of installing the Client.
Do I need to install the Defendpoint Client and Management Console together?

For standalone installations, you must install both the Client and Console. Avecto also recommends that the Client
and Console are installed together during evaluation, to simplify the evaluation process.

12 of 133
Document v.1.0
For larger deployments, there is no requirement to install the Management Console on endpoints.
What distribution mechanisms do you support?

The Defendpoint Client can be deployed using any third party software which supports the deployment of MSI
and/or Executable files, such as Microsoft Active Directory, Microsoft SMS / SCCM, and McAfee ePolicy
Orchestrator (ePO).
For silent installations and advanced installations (such as CERT_MODE and EPOMODE), the third party
deployment software must also support the use of command line options.
What prerequisite components are required for Defendpoint?

For the Defendpoint Client:
l Microsoft Core XML Services 6.0 (XP SP2 only)
l Microsoft SQL Server Compact 3.5 SP2 (Required for using the Activity Viewer)
l .NET Framework 2.0 (Required to run PowerShell audit scripts)
For the Defendpoint Management Console:

l Microsoft Core XML Services 6.0 (XP SP2 only)
l Microsoft Visual C++ 2013 Redistributable
l Microsoft Group Policy Management Console (for Active Directory integration)
l Microsoft SQL Server 2008 R2 Native Client
For the Defendpoint Activity Viewer:

l Microsoft SQL Server Compact 4.0
l Microsoft .Net Framework 4.0 Client
The executable version of the installation package includes all necessary prerequisites (excluding the Group
Policy Management Console), and will automatically install them as necessary.
The Defendpoint Client executable installer will automatically install Microsoft SQL Server Compact 3.5 SP
2. If you do want to use the Activity Viewer, and do not want for this prerequisite to be installed, it is
recommended that you install the Defendpoint Client MSI installation.
Where can I find the latest version of Defendpoint, or previous versions of Privilege
Guard?
All versions (including the latest version) of Avecto software can be downloaded from connect.avecto.com by
signing in and navigating to the Product Downloads section.
Which operating systems are supported by Defendpoint?

For details of supported operating systems, please refer to the Defendpoint Release Notes.

13 of 133
Document v.1.0
Chapter 3 - Navigation and Licensing
3.1 - Launching the Defendpoint Policy Editor
The Defendpoint Policy Editor is accessed as a snap-in to the Microsoft Management Console.
From your administrator account launch the Microsoft Management Console (MMC.exe). Type 'MMC' into the
Search Box from the Start Menu and press the Enter key.
We will now add Defendpoint as a snap-in to the console.
1. Select File from the menu bar and select Add/Remove Snap-in.
2. Scroll down the list and select the Defendpoint Settings snap-in. Click Add and then click OK.
3. Optionally select File > Save as and save a shortcut for the snap-in to the desktop as Defendpoint.
3.2 - Licensing
The Defendpoint Client will not function unless it receives a valid license code, which needs to be added in the
Defendpoint Policy Editor.
If multiple Group Policy Objects (GPOs) are applicable for a computer or user then as long as a valid license code
appears in one of the GPOs then the Defendpoint Client will function. For instance, you may decide to add the
Defendpoint licenses to the computer configuration section of a GPO that is applied to the domain, which will
ensure that all computers in the domain will receive a valid license (for those computers that have the Defendpoint
Client installed).
If you are unsure then it is recommended that you always add a valid license when you are creating Defendpoint
settings for a GPO.
3.2.1 - Inserting licenses

To insert a license:

14 of 133
Document v.1.0
1. Expand the Defendpoint Settings node.
2. Select the Licensing node.
3. Type the license code into the edit box at the top of the licensing page. Once you have entered a valid
license code, the edit box turns from red to green, a description of the license code appears and the Add
button is enabled.
4. Click Add to add the license to the list of current licenses.
Repeat the procedure above if you have multiple license codes.
3.3 - Navigating the Policy Editor

3.3.1 - Defendpoint Naming Conventions
The left-hand pane containing the Defendpoint Settings is referred to as the Tree pane.
The folders beneath Defendpoint Settings in the tree pane are referred to as Nodes.
The middle pane, which displays content relevant to the selected node, is referred to as the Details pane.
If you expand Defendpoint Settings node you will see three nodes:
1. Windows – Create Defendpoint configuration for Windows endpoints.
2. OS X – Create Defendpoint configuration for Mac (OS X or macOS) endpoints.
3. Licensing – Manage Defendpoint licenses.
1. Workstyles – Assign privileges to applications.
2. Application Groups – Define logical groupings of applications.
3. Content Groups – Define specific file content.
4. Messages – Define end user messages.
5. Custom Tokens – Define custom access tokens.
Once a workstyle has been created and selected in the tree pane, the workstyle tabs will be displayed in the details
pane.

15 of 133
Document v.1.0
There are six tabs but many workstyles will not use all of them. You can toggle individual tab displays on and off
from the tab drop-down menu at the top right of the details pane.
1. Overview – Provides a general overview of the workstyle contents.

2. Application Rules – Allows you to insert, edit or remove application rules.
3. On-Demand Application Rules – Allows you to insert, edit or remove on-demand application rules.
4. Content Rules – Allows you to insert, remove or edit content rules.
5. General Rules – Allows the configuration of general rules.
6. Filters – Allows you to add or delete filters.
Tabs that contain active settings cannot be toggled off.
3.3.2 - Automatic Saving

By default the Defendpoint Settings editor will automatically save any changes back to the appropriate GPO (or
local XML file if you are using the standalone console).
Automatic saving can be disabled, by deselecting the Auto Commit Settings menu option on the Defendpoint
Settings node, but this is not recommended unless you are having performance issues. If you deselect the Auto
Commit Settings option then you must select the Commit Settings menu option to manually save any changes
back to the GPO. The Auto Commit Settings option is persisted to your user profile, so it will be set for all future
editing of Defendpoint Settings.

16 of 133
Document v.1.0
Chapter 4 - Policies and Templates
A Defendpoint policy is made up of one or more items from the following groups. Each of these groups
can be a node in the Defendpoint Settings:
l Workstyles
l A workstyle is part of a policy. It's used to assign application rules for users. You can create
workstyles using the WorkStyle Wizard or import them.
l Application Groups
l Application Groups are used by Workstyles to group applications together to apply certain
Defendpoint behavior.
l Content Groups
l Content groups are used by Workstyles to group content together to apply certain Defendpoint
behavior.
l Messages
l Messages are used by Workstyles to provide information to the end user when Defendpoint has
applied certain behavior that you've defined and need to notify the end-user.
l Custom Tokens
l Custom Tokens are used by Workstyles to assign custom privileges to content or application
groups.
4.1 - Users
Disconnected users are fully supported by Defendpoint. When receiving policies from McAfee ePO, Defendpoint
automatically caches all the information required to work offline, so the settings will still be applied if the client is
not connected to the corporate network. Of course, any changes made to the policy will not propagate to the
disconnected computer until the McAfee Agent re-establishes a connection to the ePO Server.
4.2 - Policies
Defendpoint policies are applied to one or more endpoints. The Policy Summary screen summaries for the
number of workstyles, application groups, target URL groups, target content groups, messages, tokens and
licenses in the policy. As this is a blank policy, all summaries will be ‘zero’.
Each item summary includes an Edit <Item> button, which allows you to jump to that section of the policy.
Defendpoint incorporates an autosave, autosave recovery and concurrent edit awareness feature to reduce the risk
or impact of data loss and prevent multiple users from overwriting individual polices.
A Defendpoint template is a configuration that is merged with your existing policy. A template also consists of
any number of Workstyles, Application Groups, Content Groups, Messages and Custom Tokens.

17 of 133
Document v.1.0
4.3 - Templates
Templates can be imported into your Defendpoint settings. You can choose to either merge them into your existing
policy otherwise the template overwrites your existing policy.
You can import templates using the Import Template functionality. This is available from the Welcome page or
the Action menu or the right-click context menu on the Defendpoint Settings node:
There are four templates that you can import into your existing policy:
l QuickStart detailed below
l Discovery detailed on page 22
l Server Roles detailed on page 23
l Trusted App Protection (TAP) detailed on page 24
4.4 - QuickStart
The QuickStart policy contains Workstyles, Application Groups, Messages and Custom Tokens configured with
Privilege Management and Application Control. The QuickStart policy has been designed from Avecto’s
experiences of implementing the solution across thousands of customers, and is intended to balance security with

18 of 133
Document v.1.0
user freedom. As every environment is different, Avecto recommends this configuration is thoroughly tested to
ensure it complies with the requirements of your organization.
This template policy contains the following elements:
Workstyles
l General Rules
l High Flexibility
l Medium Flexibility
l Low Flexibility
Application Groups
l Add Admin - General (Business Apps)
l Add Admin - General (Windows Functions)
l Add Admin - High Flexibility
l Add Admin - Medium Flexibility
l Allow - Approved Standard User Apps
l Allow - Whitelisted Functions & Apps
l Block - Blacklisted Apps
l Control - Restricted Functions
l Control - Restricted Functions (On-Demand)
Messages
l Allow Message (Authentication)
l Allow Message (Select Reason)
l Allow Message (Support Desk)
l Allow Message (Yes / No)
l Block Message
l Block Notification
l Notification (Trusted)
Custom Tokens
l Avecto Support Token
4.4.1 - QuickStart Policy Summary

By using and building on the QuickStart policy, you can quickly improve your organization's security without having
to monitor and analyze your users' behavior first and then design and create your Defendpoint configuration.
After the QuickStart policy has been deployed to groups within your organization, you can start to gather
information on your users' behavior. This will provide you with a better understanding of the applications being used
within your organization, and whether they require admin rights, need to be blocked, or need authorizing for specific
users.
This data can then be used to further refine the QuickStart policy to provide more a tailored Defendpoint solution for
your organization.

19 of 133
Document v.1.0
Workstyles
The QuickStart policy contains four workstyles that should be used together to manage all users in your
organization.
General Rules
This workstyle contains a set of default rules that apply to all standard users regardless of what level of flexibility
they need.
The General Rules workstyle contains rules to:

l Block any applications that are in the Block – Blacklisted Apps group
l Allow Avecto Support tools.
l Allow standard Windows functions, business applications, and applications installed through trusted
deployment tools to run with admin rights
l Allow approved standard user applications to run passively
High Flexibility
This workstyle is designed for users that require a lot of flexibility such as developers.
The High Flexibility workstyle contains rules to:

l Allow known white-listed business applications and operating system functions to run
l Allow users to run signed applications with admin rights
l Allow users to run unknown applications with admin rights once they have confirmed that the application
should be elevated
l Allow applications that are in the Add Admin – High Flexibility group to run with admin rights
l Allow unknown business application and operating system functions to run on-demand
Medium Flexibility
This workstyle is designed for users that require some flexibility such as sales engineers.
The Medium Flexibility workstyle contains rules to:

l Allow known white-listed business applications and operating system functions to run
l Allow users to run signed applications with admin rights once they have confirmed that the application
should be elevated
l Prompt users to provide a reason before they can run unknown applications with admin rights
l Allow applications that are in the Add Admin – Medium Flexibility group to run with admin rights
l Allow unknown business application and operating system functions to run on-demand
l Restricted OS functions that require admin rights are prevented and require support interaction
Low Flexibility
This workstyle is designed for users that don't require much flexibility such as helpdesk operators. The Low
Flexibility workstyle contains rules to:
l Prompt users to contact support if a trusted or untrusted application requests admin rights
l Prompt users to contact support if an unknown application tries to run

20 of 133
Document v.1.0
l Allow known approved business applications and operating system functions to run
Application Groups
The application groups that are prefixed with "(Default)" or "(Recommended)" are hidden by default and do not need
to be altered.
Add Admin – General (Business Apps) – Contains applications that are approved for elevation for all users,
regardless of their flexibility level.
Add Admin – General (Windows Functions) – Contains operating system functions that are approved for
elevation for all users.
Add Admin – High Flexibility – Contains the applications that require admin rights that should only be provided
to the high flexibility users.
Add Admin – Medium Flexibility – Contains the applications that require admin rights that should only be
provided to the medium flexibility users.
Allow – Approved Standard User Apps – Contains applications that are approved for all users.
Block – Blacklisted Apps – This group contains applications that are blocked for all users.
(Default) Any Application – Contains all application types and is used as a catch-all for unknown applications.
(Default) Any Trusted UAC Prompt – Contains signed (trusted ownership) application types that request admin
rights.
(Default) Any UAC Prompt – This group contains applications types that request admin rights.
(Default) Avecto Tools – This group is used to provide access to an Avecto executable that collects Defendpoint
troubleshooting information.
(Default) Controlled OS Functions – Contains operating system applications and consoles that are used for
system administration.
(Default) Software Deployment Tool Installs – Contains applications that can be installed by deployment tools
such as SCCM (System Center Configuration Manager).
(Default) Whitelisted Functions & Apps – Contains trusted applications, tasks and scripts that should execute
as a standard user.
(Recommended) Restricted Functions - This group contains OS applications and consoles that are used for
system administration and trigger UAC when they are executed.
(Recommended) Restricted Functions (On Demand) - This group contains OS applications and consoles that
are used for system administration.

21 of 133
Document v.1.0
Messages
The following messages are created as part of the QuickStart policy and are used by some of the application rules:
Allow Message (Authentication) – Asks the user to provide a reason and enter their password before the
application runs with admin rights.
Allow Message (Select Reason) – Asks the user to select a reason from a drop-down menu before the application
runs with admin rights.
Allow Message (Support Desk) – Presents the user with a challenge code and asks them to obtain authorization
from the support desk. Support can either provide a response code or a designated, authorized user can enter their
login details to approve the request.
Allow Message (Yes / No) – Asks the user to confirm that they want to proceed to run an application with admin
rights.
Block Message – Warns the user that an application has been blocked.
Block Notification – Notifies the user that an application has been blocked and submitted for analysis.
Notification (Trusted) – Notifies the user that an application has been trusted.
Custom Token
A custom token is created as part of the QuickStart policy. The custom token is called Avecto Support Token
and is only used to ensure that an authorized user can gain access to Defendpoint troubleshooting information.
We do not recommend using the Avecto Support Token for any other application rules in your workstyles.
4.4.2 - Customizing the QuickStart Policy

Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to
the standard template.
As a minimum you need to:

l Configure the users or groups that can authorize requests that trigger messages.
l Assign users and groups to the high, medium and low flexibility workstyles.
l Populate the 'Block Blacklist Apps' application group with any applications that you want to block for all
users.
4.5 - Discovery
The Discovery policy contains Workstyles, Application Groups and Messages to allow the discovery of
applications that need administrative privileges to execute. This must be applied to administrator users and
includes a pre-configured exclusion group (false positives) maintained by Avecto.
This template policy contains the following configurations:
Workstyles
l Discovery Workstyle

22 of 133
Document v.1.0
Application Groups
l (Default Rule) Any Application
l (Default Rule) Any UAC Prompts
l Approved Standard User Apps
l Whitelisted Functions & Apps
Messages
Allow Message (Yes / No)
4.6 - Server Roles

The Server Roles policy contains Workstyles, Application Groups and Content Groups to manage different server
roles such as DHCP, DNS, IIS, and Print Servers.
This template policy contains the following elements:
Workstyles
l Server Role - Active Directory - Template
l Server Role - DHCP - Template
l Server Role - DNS - Template
l Server Role - File Services - Template
l Server Role - Hyper V - Template
l Server Role - IIS - Template
l Server Role - Print Services - Template
l Server Role - Windows General - Template
Application Groups
l Server Role - Active Directory - Server 2008R2
l Server Role - DHCP - Server 2008R2
l Server Role - DNS - Server 2008R2
l Server Role - File Services - Server 2008R2
l Server Role - General Tasks - Server 2008R2
l Server Role - Hyper V - Server 2008R2
l Server Role - IIS - Server 2008R2
l Server Role - Print Services - Server 2008R2
Content Groups
l AD Management
l Hosts Management
l IIS Management
l Printer Management
l Public Desktop

23 of 133
Document v.1.0
4.7 - Trusted App Protection (TAP)
The Trusted App Protection (TAP) policies contain Workstyles, Application Groups and Messages to offer an
additional layer of protection against malware for trusted business applications, safeguarding them from
exploitation attempts.
The TAP policies apply greater protection to key business applications including Microsoft Office, Adobe Reader
and web browsers, which are often exploited by malicious content. It works by preventing these applications from
launching unknown payloads and potentially risky applications such as PowerShell. It also offers protection by
preventing untrusted DLLs being loaded by these applications, another common malware technique.
In our research we discovered that malware attack chains commonly seek to drop and launch an executable or
abuse a native Windows application such as PowerShell. Using a TAP policy prevents these attacks and
compliments existing anti-malware technologies by preventing an attack from launching without relying on
detection or reputation.
The Trusted Application Protection policy you have chosen is inserted at the top of the workstyles so it is, by
default, the first workstyle to be evaluated. Once a workstyle action has been triggered, subsequent workstyles
aren't evaluated for that process.
Workstyles
l Trusted Application Protection - High Flexibility (depends on the TAP policy you have chosen)
l Trusted Application Protection - High Security (depends on the TAP policy you have chosen)
Application Groups
l Browsers
l Browsers - Trusted Exploitables
l Browsers - Untrusted child processes
l Content Handlers
l Content Handlers - Trusted Exploitables
l Content Handlers - Untrusted child processes
Content Handlers are used to hold content rather than executables.
Messages
l Block Message
4.7.1 - Trusted Application Protection Policies Summary

The TAP policies allow you to control the child processes which TAP applications can run.
There are two policies to choose from:

l High Flexibility
l High Security
You should choose the High Flexibility policy if you have users who need the ability to download and install/update
software. You should choose the High Security policy if your users don't need to download and install/update
software.

24 of 133
Document v.1.0
The High Security policy checks that all child processes either have a trusted publisher, a trusted owner, a source
URL, or an Avecto Zone Identifier tag whereas the High Flexibility policy only validates the immediate child
processes allowing a wider range installers to run1. If child processes don't have any of these four criteria, they are
blocked from execution. Known exploits are also blocked by both TAP policies, see Trusted Application
Protection Blacklist detailed on page 132 for more information.
Trusted Publisher
l A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date and not
revoked.
Trusted Owner
l A trusted owner is any owner that is in the default Windows groups 'Administrators', 'SystemUser' or
'TrustedInstaller'.
SourceURL
l The source URL must be present. This is specific to browsers.
Avecto Zone Identifier tag

l The Avecto Zone Identifier tag must be present. This is applied when the browser applies an ADS (Alternate
Data Stream) tag. This is specific to browsers.
In addition, all processes on the blacklist are blocked irrespective of their publisher and owner. See Trusted
Application Protection Blacklist detailed on page 132 for a list of blacklisted processes.
The TAP policy template affects the following applications:

l Microsoft Word
l Microsoft Excel
l Microsoft PowerPoint
l Microsoft Publisher
l Adobe Reader 11 and lower
l Adobe Reader DC
l Microsoft Outlook
l Google Chrome
l Mozilla Firefox
l Microsoft Internet Explorer
l Microsoft Edge
TAP Applications and their child processes must match all the criteria within the definitions provided in the
Application Groups of the policy for the TAP policy to apply.
You can configure TAP process control by importing the TAP template. TAP also has Enterprise Reporting, see
Trusted Application Protection Reporting detailed on page 28.
1Installers that spawn additional child processes are blocked by the TAP (High Security) policy if those child processes
are using applications that are on the TAP blacklist, see Trusted Application Protection Blacklist detailed on page 132,
but would be allowed to run using the TAP (High Flexibility) policy.

25 of 133
Document v.1.0
4.7.2 - Trusted Application Protection Precedence
The TAP workstyle you choose is placed at the top of your list of workstyles when you import the policy template.
This is because it runs best as a priority rule. This ensures that child processes of TAP applications (policy
dependent) that do not have a trusted publisher, trusted owner, a source URL, or an Avecto Zone Identifier tag are
blocked from execution and that known exploits are blocked.
The Trusted Application Protection workstyle is the first to be evaluated by default. Once a workstyle action has
been triggered, subsequent workstyles aren't evaluated for that process.
4.7.3 - Modifying the Trusted Application Protection Policies

Both the TAP policies (High Flexibility and High Security) protect against a broad range of attack vectors. The
approaches listed here can be used in either TAP policy if you need to modify the TAP policy to address a specific
use case that is being blocked by a TAP policy.
The TAP (High Security) policy is, by design, more secure and less flexible as it blocks all child processes of a
Trusted Application that do not have a trusted owner, trusted publisher, source URL or Avecto Zone Identifier so it
is therefore more likely to require modification.
The TAP policy that you choose should be based on your business requirements and existing policy. If using a TAP
policy causes a legitimate use case to be blocked, there are some actions you can take to resolve this.
Change the Policy to Passive and Audit

You can change the TAP (High Security) policy Application Rules Action to 'Allow Execution' and change the
Access Token to 'Passive (No Change)'. Ensure Raise an Event is set to 'On' and click OK.
Changing the TAP policy to 'Allow Execution' effectively disables it. You will not get any protection from a
TAP policy if you make this change.

26 of 133
Document v.1.0
If you make this change for the four Application Rules in the TAP (High Security) policy, TAP programs will be able
to execute as if the TAP (High Security) policy wasn't applied but you can see what events are being triggered by
TAP and make policy adjustments accordingly.
The event details include information on the Application Group and TAP application. This allows you to gather
details to understand if it's a legitimate use case. You can perform some actions to incorporate the legitimate use
case into the TAP (High Security) policy.
l Use the High Flexibility Policy detailed below

l Edit the Matching Criteria detailed below
l Edit the Trusted Exploitable List detailed on the next page
l Remove Application from Trusted Application Group detailed on the next page
l Create an Allow Rule detailed on the next page
Use the High Flexibility Policy
Both the TAP policies offer additional protection against a wide range of attack vectors. If you are using the TAP
(High Security) policy you can change to the TAP (High Flexibility) policy. This is useful if you have a use case
where additional child processes of TAP applications are being blocked by the TAP (High Security) policy.
Edit the Matching Criteria
If your legitimate use case is running a specific command that is detailed in the event you can add this to the
matching criteria of the Application that's being blocked. You can use the standard Defendpoint matching criteria
such as 'Exact Match' or 'Regular Expressions'.
Example
Webex uses an extension from Google Chrome. Avecto have catered for this in the policy using matching criteria.
This criteria says:

If the Parent Process matches the (TAP) High Security - Browsers application group for any parent in the tree.
and
The Product Description contains the string 'Windows Command Processor'
and
The Command Line does NOT contain '\\.\pipe\chrome.nativeMessaging'

27 of 133
Document v.1.0
The TAP policy (High Security) will block the process.
Edit the Trusted Exploitable List
If your legitimate use case is using an application that is listed on either the 'Browsers - Trusted Exploitables' or the
'Content Handlers - Trusted Exploitables' list, you can remove it.
If you remove it from either list, any browsers or content that use that trusted exploitable to run malicious content
won't be stopped by the TAP (High Security) policy.
Remove Application from Trusted Application Group
You can remove the application that is listed in the Trusted Browsers or Trusted Content Handlers groups from the
list. This will mean that application no longer benefits from the protection offered by either of the TAP policies.
Create an Allow Rule
You can also add a Defendpoint Allow Rule and place it higher in the precedence order than the TAP (High
Security) policy. This will allow your use case to run but, it also overrides any subsequent rules that apply to that
application so it should be used with caution.
4.7.4 - Trusted Application Protection Reporting

Trusted Application Protection (TAP) is reported in Enterprise Reporting. You can use the top level TAP dashboard
to view the TAP incidents over the time period, split by type of TAP application. In the same dashboard you can
also see the number of incidents, targets, users and hosts for each TAP application.

28 of 133
Document v.1.0
Chapter 5 - Workstyles
Defendpoint makes use of workstyles, which are used to assign application rules for a specific user, or group of
users. Workstyles are automatically created for you when you use the workstyle wizard, and can also be created
manually. The workstyle wizard will also create auto-generated application rules depending on the type of
workstyle you choose to create.
5.1 - Workstyle Wizard

The workstyle wizard guides you through the process of creating a Defendpoint workstyle. The options you select
determine the function of the workstyle.
Workstyle type
The first choice to make is the type of workstyle you want to create. There are two types of workstyle that can be
created in Defendpoint:
l Controlling workstyle – allows you to apply rules for access to privileges and applications.
l Blank workstyle – allows you to create an empty workstyle without any predefined elements.
Filtering
The next choice only applies to a controlling workstyle. Choose which users the workstyle will be
applied to:
l Standard users only
l Everyone, including administrators
The default choice is Standard users only. Additional Account Filters can be added to the workstyle after it has
been created. For more information on filtering, see Filtering Workstyles detailed on page 34.

29 of 133
Document v.1.0
5.2 - Creating Workstyles
To create a workstyle:
2. Expand the Windows node.
3. Right-click the Workstyles node and then click Create Workstyle. The workstyle wizard appears.
4. Select a workstyle Type:
l Controlling – allows you to apply controls for access to applications and privileges.
l Blank – allows you to create an empty workstyle without any predefined elements.
5. Click Next.
6. Select a filter for the new workstyle. The default choice is Standard users only. If you want to apply the
new workstyle to all users (including administrators), select Everyone, including Administrators.
7. Select one or both Defendpoint capabilities and click Next.
8. The workstyle wizard will display pages appropriate to the Defendpoint capabilities you selected in Step 7.
Complete the pages relevant to the workstyle type and any capabilities you have selected.
9. On the final page of the workstyle wizard provide a Name and a Description for the workstyle. If the
workstyle has been configured to use a Challenge - Response message you will be asked to enter a
shared key. See Challenge / Response Authorization detailed on page 68.
10. Select whether you would like to activate the workstyle now.
11. Click Finish to create the workstyle and exit the wizard.
Depending on the type of workstyle you created, Defendpoint will auto-generate certain groups and rules,
messages and filters. These auto-generated elements are appropriate to the options that are selected in the
workstyle wizard.
5.2.1 - Disabling / Enabling Workstyles

When a workstyle is disabled, the settings will remain, but the workstyle is ignored.
To disable a workstyle:
1. Select the workstyle (in the tree pane or details pane).

2. Right-click the workstyle and then click Disable Workstyle.
To enable a workstyle (that is currently disabled):
1. Select the workstyle (in the tree pane or details pane).

2. Right-click the workstyle and then click Enable Workstyle.
5.2.2 - Configuring Sandboxing Settings

Sandboxing settings are always available for you to configure if your policy has sandboxing in it. If you would like to
configure sandboxing for your policy but it doesn't yet contain sandboxing, please follow these instructions.
To configure sandboxing settings in your Defendpoint policy:

1. Right-click on the Windows node and click Advanced Policy Editor Settings. The Advanced Policy
Editor Settings dialog box appears.
2. Click the Show Sandboxing Settings check box. This allows you to subsequently configure sandboxing in
Defendpoint.

30 of 133
Document v.1.0
All of the sandboxing settings, such as URL groups, are now visible in the interface. Features relating to
Sandboxing are documented in the Sandboxing Guide for ease of use.
5.2.3 - Workstyle Precedence

If you create multiple workstyles, then those that are higher in the list will have a higher precedence. Once an
application matches a workstyle, no further workstyles will be processed for that application, so it is important that
you order your workstyles correctly if an application could match more than one workstyle.
To give a workstyle a higher precedence:

1. Right-click the workstyle and then select Move Up.
2. Repeat step 2 until you have the workstyle positioned appropriately.
To give a workstyle a lower precedence, follow the procedure above, but click Move Down. You can also click
Move Top or Move Bottom to move a rule to the top or bottom of the list.
5.3 - TAP DLL Control Summary

Defendpoint can dynamically evaluate DLLs for trusted applications for each workstyle. The first workstyle to have
DLL Control 'Enabled' or 'Disabled' causes any configuration of DLL Control in subsequent workstyles to be
ignored.
Unless a DLL has a trusted publisher and a trusted owner, it is not allowed to run within the TAP application.
Trusted Publisher
l A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date and not
revoked.
Trusted Owner
l A trusted owner is any owner that is in the default Windows groups 'Administrators', 'SystemUser' or
'TrustedInstaller'.
TAP DLL control affects the following applications:

l Microsoft Word
l Microsoft Excel
l Microsoft PowerPoint
l Microsoft Publisher
l Adobe Reader 11 and lower
l Adobe Reader DC
l Microsoft Outlook
l Google Chrome
l Mozilla Firefox
l Microsoft Internet Explorer
l Microsoft Edge
5.3.1 - Configuring Trusted Application Protection DLL Control

You can turn on the monitoring of DLLs for TAP applications in any workstyle. However, the first workstyle to have
DLL Control 'Enabled' or 'Disabled' causes any configuration of DLL Control in subsequent workstyles to be
ignored.

31 of 133
Document v.1.0
1. Go to the Overview tab for the workstyle where you want to enable TAP DLL control and click Not
configured in this workstyle, click to enable.

32 of 133
Document v.1.0
2. You can configure DLL control for TAP applications in this dialog. You can also configure exclusions if there
are DLLs that don't have a trusted owner or a trusted publisher, but you still want them to be able to run with
DLL control enabled.
You can also exclude folder locations and environment variables in the Configure Exclusions dialog.
3. Click OK on the Configure Exclusions dialog if you configured any otherwise click OK to finish setting up
DLL control for TAP applications in your workstyle.

33 of 133
Document v.1.0
Third party applications may give error messages that aren't immediately clear to the end-user when a DLL is
correctly blocked from running in a TAP application.
5.4 - Filtering Workstyles

The Filters tab of a workstyle can be used to further refine when a workstyle will actually be applied.
By default, a workstyle will apply to all users/computers who receive it. However, you can add one or more filters
that will restrict the application of the workstyle:
l Account Filter – This filter restricts the workstyle to specific users or groups of users.
l Computer Filter – This filter will restrict the workstyle to specific computers (names or IP addresses), or
Remote Desktop clients.
l Time Filter – This filter will restrict the workstyle to being applied at particular days of the week and times of
the day.
l Expiry Filter – This filter will expire a workstyle at a set date and time.
l WMI Filter – This filter will restrict the workstyle based on the success or failure of a WMI query.
If you want the workstyle to apply only if all filters match, select the option ALL filters must match from the drop-
down menu. If you want the workstyle to apply when any filter matches, select the option ANY filter can match
from the drop-down menu.
Filters can also be configured to apply if there are no matches. This is referred to as an ‘exclude’ filter. To set an
exclude filter, right-click the filter and check the option Apply this filter if it does NOT match. (This does not
apply to Time and Expiry filters.)
Time filters and Expiry filters can only be used once in a workstyle.
5.4.1 - Account Filters

Account filters specify the users and groups the workstyle will be applied to.
When a new workstyle is created, a default account filter will be added to target either Standard users only,
or Everyone (including administrators), depending on your selection in the workstyle wizard.
To restrict a workstyle to specific groups or users:
1. On the Filter tab click Add a filter.

2. Click Add an Account Filter.
3. Click Add a new account.
4. The Select Users or Groups dialog box appears.
5. Enter the relevant group or user accounts and click Check Names to validate the names or alternatively
click Advanced to browse for groups and users.
6. Click OK.
Domain and well known accounts will display a Security Identifier (SID). The SID will be used by the Defendpoint
Client, which will avoid account lookup operations. For local accounts the name will be used by the Defendpoint

34 of 133
Document v.1.0
Client, and the SID will be looked up when the workstyle is loaded by the client. Local Account will appear in the
SID column of the accounts list for local accounts.
By default, an account filter will apply if any of the user or group accounts in the list match the user. If you have
specified multiple user and group accounts within one account filter, and want to apply the workstyle only if all
entries in the account filter match, then check the option All items below should match.
You can add more than one account filter if you want the user to be a member of more than one group of accounts
for the workstyle to be applied.
If an account filter is added, but no user or group accounts are specified, a warning will be displayed advising No
accounts added, and the account filter will be ignored.
If All items below should match is enabled, and you have more than one user account listed, the
workstyle will never apply as the user cannot match two different user accounts.
5.4.2 - Computer Filters

A computer filter can be used to target specific computers and remote desktop clients. You can specify a computer
using either its host / DNS name, or by an IP address.
To restrict the workstyle to specific computers by hostname:
1. Select the Filters tab and click Add a Filter.

2. Click Add a Computer Filter.
3. Click Add a new hostname rule.
4. The Add hostname rule dialog box appears.
5. Enter one or more hostnames, separated by semicolons, or alternatively browse for one or more computers.
You can use the * and ? wildcard characters in hostnames.
6. Click Add.
7. If the computer filter is intended for matching the hostname of remote computers using remote desktop
sessions, check the option Match the remote desktop (instead of the local computer).
8. By default, a computer filter will apply if any of the computers or IP Addresses in the list match the computer
or client. If you have specified multiple entries, and want to apply the workstyle only if ALL entries in the
computer filter match, then check the option All items below should match.
If a computer filter is added, but no host names or IP addresses are specified, a warning will be displayed advising
No rules added, and the computer filter will be ignored.

35 of 133
Document v.1.0
To restrict the workstyle to specific computers by IP address:
1. Select the Filters tab and click Add a new filter.

2. Click Add a Computer Filter.
3. Click Add a new IP rule.
4. The Add IP rule dialog box appears.
5. Enter the IP address manually, in the format 123.123.123.123.
6. Click Add.
7. If the computer filter is intended for matching the IP address of remote computers using remote desktop
sessions, check the option Match the remote desktop (instead of the local computer)
You can also use the wildcard * in any octet to include all addresses in that octet range, for example
192.168.*.*. Alternatively, you can specify a particular range for any octet, for example 192.168.0.0-254.
Wildcards and ranges can be used in the same IP Address, but not in the same octet.
5.4.3 - Time Range Filters

A time range filter can specify the hours of a day, and days of week that a workstyle will be applied.
To restrict a workstyle to a specific date / time period of activity:

2. Click on Add a Time Filter.
3. Click Edit time restrictions.
4. The Time Restrictions dialog box appears.
5. Select Active and Inactive times in the time grid by either selecting individual elements or dragging over
areas with the left mouse button held down.
6. Click OK.
Only one time filter can be added to a workstyle.
The time filter is applied based on the user’s timezone by default. Clear the Use timezone of user for time
restrictions (otherwise use UTC) check box to use UTC for the timezone.

36 of 133
Document v.1.0
5.4.4 - Expiry Filters
An expiry filter specifies an expiry date / time for a workstyle.
To restrict a workstyle to an expiry date and time:

2. Click on Add an Expiry Filter.
3. Set the date and time that you want the workstyle to expire.
Only one expiry filter can be added to a workstyle.
The expiry time is applied based on the user’s timezone by default. Clear the Use timezone of user for workstyle
expiry (otherwise use UTC) check box to use UTC for the timezone.
5.4.5 - WMI (Windows Management Information) Filters

A WMI filter specifies if a workstyle should be applied, based on the outcome of a WMI query.
The filter allows you to specify the following:
l Description – Free text to describe the WMI query.

l Namespace – Set the namespace that the query will execute against. By default, this is root\CIMV2.
l Query – The WMI Query Language (WQL) statement to execute.
l Timeout – The time (in seconds) the client will wait for a response before terminating the query. By default,
no timeout is specified.
Long running WMI queries will result in delayed application launches. Therefore it is recommended that a
timeout is specified to ensure that queries are terminated in a timely manner.
When a WMI query is executed, the client will check if any rows of data are returned. If any data is returned, then
the WMI query will be successful. If no data is returned or an error is detected in the execution, the WMI query will
be unsuccessful.
It is possible for many rows of data to be returned from a WMI query, in which case you can create more complex
WQL statements using WHERE clauses. The more clauses you add to your statement, the fewer rows are likely to
return, and the more specific your WMI query will be.
The WMI filter includes several default templates for common WMI queries. To add a new WMI query from a
template, click Add a WMI template and use the instant search box to quickly find a template.
WQL statements can include parameterized values which allow you to execute queries including select user,
computer and Defendpoint properties. To use parameters, see Workstyle Parameters detailed on page 123.
WMI queries are always run as SYSTEM, and cannot be executed against remote computers or network
resources. WMI filters do not support impersonation levels, and can only be used with SELECT queries.

37 of 133
Document v.1.0
By default, a WMI filter will apply if any of the WMI queries in the list return true. If you have specified multiple WMI
queries, and want to apply the workstyle only if ALL queries return true, then check the option All items below
should match.
If a WMI filter is added, but no WMI queries are specified, a warning will be displayed advising No queries added,
and the WMI filter will be ignored.

38 of 133
Document v.1.0
Chapter 6 - Managing Applications
Application groups are used to define logical groupings of applications.
Application groups are assigned to workstyles, so you must define application groups for all of the applications you
want to assign to a workstyle.
6.1 - Hiding and Showing Application Groups

Some application groups are hidden by default, for example application groups prefixed by '(Default)' in the
QuickStart Policy. You can show or hide application groups in Defendpoint.
To hide an application group:

1. Right-click on the application group and select Properties.
2. Select the Hidden check box and click OK. This application group will now be hidden from the Application
Group node.
To show hidden application groups:

1. Right-click on the Defendpoint Settings node and click Show Hidden Groups. This toggles the display of
hidden application groups. If you need to show previously hidden application groups you can follow these
steps:
a. Right-click on the application group and select Properties.
b. Clear the Hidden check box and click OK. This application group will now be displayed in the
Application Group node.
6.2 - Creating Application Groups

To create an application group:
1. Expand the Windows node.

2. Right-click the Application Groups node and then click New Application Group.
3. A new application group will be created (Application Group 1). You can rename the group by double-
clicking on the group name. You can now add applications to the application group.
Application Group Description
You can set a description for an application group by accessing the application group properties:
1. Right-click the Application Group and then click Properties.

2. Set the Description in the Properties dialog box.
3. Click OK.
6.3 - Inserting Executables and Scripts

To insert any type of application:
1. Select the relevant application group.

2. Right-click in the details pane to access the context menu.

39 of 133
Document v.1.0
3. Select Insert Application and then select the application type you want to add from the sub-menu.
4. After selecting an application type to insert, the Insert Application wizard appears.
5. Enter a file or folder name for the application or use the Browse File, Browse Folder or Template buttons.
For more information about application templates see Inserting Applications from Templates detailed on
page 47. Click Next.
6. Enter a description for the application (the description will automatically be extracted from the file you
entered, if it has a description). Click Next.
7. Configure the Application Definitions for the application. For information about application definitions see
below. Click Next.
8. Configure the Advanced Options for the application (see Advanced Options detailed on page 46). Click
Finish.
It's important to select a file for the application type you have chosen, otherwise it will fail to match when the
Defendpoint Client processes the application group.
For executable and control panel applets the description will automatically be extracted from the file (if it has a
description). You can change the description.
The Insert Application wizard provides various target application definitions. The Defendpoint Client must match
every definition you configure before it will trigger a match (the rules are combined with a logical AND). The
following definitions are available:
l AppID
l Application Requires Elevation (UAC)
l Drive
l File or Folder Name
l File Hash
l File Version
l Parent Process
l Product Code
l Product Description
l Product Name
l Product Version
l Publisher
l Service Action
l Service Name
l Service Display Name
l Source URL
l Trusted Ownership
l Upgrade Code

40 of 133
Document v.1.0
6.4 - Inserting ActiveX Controls
Unlike other application types, Defendpoint only manages the privileges for the installation of ActiveX controls.
ActiveX controls usually require administrative rights to install, but once installed they will run with the standard
privileges of the web browser.
To insert an ActiveX control:

2. Right-click the applications list in the details pane to access the context menu.
3. Select Insert Application and then select ActiveX Control from the sub-menu.
4. After selecting an application type to insert, the Insert Application wizard appears.
5. Enter a URL for the ActiveX control, or click Template to add a pre-configured application definition. Click
Next.
6. Enter a description for the ActiveX control. Click Next.
7. Configure the definitions (detailed below) for the ActiveX control (by default the Match ActiveX Codebase
rule will be selected). Click Next.
8. Configure the Advanced Options for the ActiveX control (see Advanced Options detailed on page 46).
Click Finish.
every definition you configure before it triggers match (the rules are combined with a logical AND). The following
definitions are available:
l ActiveX Codebase
l ActiveX Version
l CLSID
6.5 - Inserting Installer Packages

Defendpoint allows standard users to install Windows Installer packages that would normally require local admin
rights. Defendpoint supports the following package types:
l Microsoft Software Installers (MSI)

l Microsoft Software Updates (MSU)
l Microsoft Software Patches (MSP)
When a Windows Installer package is added to an application group, and assigned to an application rule or on-
demand application rule, the action will be applied to the installation of the file using Add/Remove Programs,
Programs and Features, or, in Windows 10, Apps and Features.
The publisher property of an MSx file may sometimes differ to the publisher property once installed in
Programs and Features. It is recommended that applications targeted using the Match Publisher validation
rule and tested prior to deployment using the Defendpoint Activity Viewer.
Installer packages typically create child processes as part of the overall installation process. Therefore it is
recommended that when elevating MSI, MSU or MSP packages, that the advanced option Allow child processes
will match this application definition is enabled.

41 of 133
Document v.1.0
If you want to apply more granular control over Installer packages and their child processes, use the Child
Process validation rule to whitelist or blacklist those processes that will / will not inherit privileges from the
parent software installation.
To insert an Installer package:

2. Right-click in the Application Group area and select Insert Application > Installer Package from the sub-
menu.
3. Enter a File or Folder name and click Next.
4. Enter a Description and click Next to configure the Application Definition(s) for the application. By default
the Match File or Folder Name rule will be selected. See Target Definitions detailed on page 111.
5. Configure the Advanced Options for the application. See Advanced Options detailed on page 46 and
click OK.
l Application Requires Elevation (UAC) detailed on page 112

l Command Line detailed on page 113
l Drive detailed on page 113
l File or Folder Name detailed on page 114
l File Hash (SHA-1 fingerprint) detailed on page 114
l Parent Process detailed on page 114
l Product Code detailed on page 115
l Product Name detailed on page 115
l Product Version detailed on page 115
l Publisher detailed on page 115
l Upgrade Code detailed on page 117
l Trusted Ownership detailed on page 117
l Source URL detailed on page 116

42 of 133
Document v.1.0
6.6 - Inserting Uninstaller (msi or exe)
Defendpoint allows standard users to uninstall Microsoft Software Installers (MSIs) and Executables (EXEs) that
would normally require local admin rights.
When the Any Uninstaller application type is added to an application group and assigned to an application rule in
the Defendpoint policy, the end user can uninstall applications using Programs and Features or, in Windows 10,
Apps and Features.
The Uninstaller Application Type allows you to uninstall any EXE or MSI when it is associated with an Application
Rule. As the process of uninstalling a file requires admin rights you need to ensure that when you target the
Application Group in the Application Rules you set the Access Token to 'Add Admin Rights'.
The Uninstaller type must be associated with an Application Rule. It does not apply to On-Demand
Application Rules.
You cannot use the 'Uninstaller' Application Type to uninstall the Avecto Defendpoint Client or the Avecto iC3
Adapter using Defendpoint irrespective of your user rights. Defendpoint's anti-tamper mechanism prevents users
from uninstalling Defendpoint, and the uninstall will fail with an error message.
If you want to allow users to uninstall either the Avecto Defendpoint Client or the Avecto iC3 Adapter
you can do this by either:
l Logging in as a full administrator
l Elevating the Programs and Features control panel (or other controlling application) using a 'Custom'
Access Token that has anti-tamper disabled, see Anti-Tamper Protection detailed on page 74 for more
information.
To insert an Installer package:

2. Right-click in the Application Group area and select Insert Application > Uninstaller (msi or exe) from
the sub-menu.
3. Enter a description for the Uninstaller (msi or exe) and click Next.
4. Click Next on the Application Definition. The Advanced Options are selected by default. You cannot
modify the matching criteria.
5. The Advanced Options are selected by default. Click Finish.
6.7 - Inserting COM Classes

COM elevations are a form of elevation which are typically initiated from Explorer, when an integrated task requires
administrator rights. Explorer will use COM to launch the task with admin rights, without having to elevate Explorer.
Every COM class has a unique identifier, called a CLSID, used to launch the task.
Normally, when a user clicks on a COM task in Explorer it will trigger a UAC prompt that requires access to an
administrator account to proceed.
Defendpoint allows you to target specific COM CLSIDs and assign privileges to the task without granting full
admin rights to the user. COM based UAC prompts can also be targeted and replaced with custom messaging,
where COM classes can be whitelisted and/or audited.

43 of 133
Document v.1.0
To insert a COM Class:
3. Select Insert Application and then select COM Class. The Insert Application wizard appears.
4. Enter a COM CLSID or use the Browse Class or Template buttons. Click Next.
5. Enter a description for the COM Class (the description will automatically be extracted from the class you
entered, if it has a description). Click Next.
6. Configure the Application Rules for the class (by default the Match CLSID rule will be selected). Click
Next.
7. Configure the Advanced Options for the application (see Advanced Options detailed on page 46). Click
Finish.
every definition you configure before it will trigger a match (the rules are combined with a logical AND).
COM classes are hosted by a COM server DLL or EXE, so COM classes can be validated from properties of the
hosting COM server. The following validation options can be used to validate the COM server:
l Application Requires Elevation (UAC) detailed on page 112

l AppId detailed on page 112
l CLSID detailed on page 112
l COM Display Name detailed on page 113
l File Version detailed on page 114
l Product Description detailed on page 115
l Trusted Ownership detailed on page 117
l Source URL detailed on page 116
Match if Application Requires Elevation (User Account Control) is always enabled, as COM classes require
UAC to elevate

44 of 133
Document v.1.0
6.8 - Inserting Windows Store Applications
The Windows Store application type allows the installation and execution of Windows Store applications on
Windows 8 and later to be whitelisted, so that users are prevented from installing or using unknown/unauthorized
applications within the Windows Store.
To insert an application:

3. Select Insert Application and then click Windows Store Application from the sub-menu. The Insert
Windows Store Application wizard appears.
4. Enter a Package Name for the Windows Store application, use the Browse File button to browse for an
.appx package on the local machine, click Browse Apps to select from a list of Windows Store applications
installed on the local computer, or click Template to add a pre-configured Windows Store application
definition.
5. Click Next.
6. Enter a description for the Windows Store application (a description will automatically be added based on
how the Windows Store application was added in the previous step).
7. Configure the definitions (detailed below) for the Windows Store application.
8. Click Finish.
l Windows Store Application Version detailed on page 117

l Windows Store Package Name detailed on page 117
l Windows Store Publisher detailed on page 118
6.9 - Inserting Windows Services

The Windows service type allows individual service operations to be whitelisted, so that standard users are able to
start, stop and configure services without the need to elevate tools such as the Service Control Manager.
To insert a service:
3. Select Insert Application and then select Windows Service from the sub-menu. The Insert Service
wizard appears.
4. Enter a Service Name for the Windows service, or use the Browse Service button to browse the services
present on the local computer. Click Next.
5. Enter a description for the Windows service (a description will automatically be added based on how the
service was added in the previous step).
6. Configure the definitions (detailed below) for the Windows service.
7. Click Finish.

45 of 133
Document v.1.0

l File Version detailed on page 114
l Product Description detailed on page 115
l Service Action detailed on page 116
l Service Name detailed on page 116
l Service Display Name detailed on page 116
6.10 - Advanced Options

l Allow child processes will match this application definition – If this check box is selected then any
child processes that are launched from this application (or its children) will also match this rule. The rules are
still processed in order, so it’s still possible for a child process to match a higher precedence rule (or
workstyle) first. Therefore, this option will prevent a child process from matching a lower precedence rule. It
should also be noted that if an application is launched via an on-demand rule and this option is selected, then
its children will be processed against the on-demand rules, and not the application rules. If this option is not
selected then the children will be processed against the application rules in the normal way. You can further
refine this option by restricting the child processes to a specific application group. The default is to match
<Any Application>, which will match any child process.
If you want to exclude specific processes from matching this rule, then click ‘…match…’ to toggle the rule to
‘…does not match…’.
Child processes are evaluated in the context that the parent was executed. For example, if the parent was
executed through on-demand shell elevation, then the Defendpoint Client will first attempt to match on-
demand application rules for any children of the executed application.
l Force standard user rights on File Open/Save common dialogs – If the application allows a user to
open or save files using the common Windows open/save dialog box then selecting this option will ensure
that the user does not have admin privileges within these dialog boxes. These dialog boxes have Explorer
like features, and allow a user to rename, delete or overwrite files. If an application is running with elevated
rights then the open/save dialog boxes would allow a user to replace protected system files. By default,
Defendpoint will force these dialog boxes to run with the user’s standard rights, which will prevent the user
from tampering with protected system files.

46 of 133
Document v.1.0
6.11 - Inserting Applications from Templates
Application templates provide a simple way to pick from a list of known applications. A standard set of templates
are provided that cover basic administrative tasks for all supported operating systems, common ActiveX controls,
software updaters and Avecto utilities.
To insert an application template:

3. Select Insert Application and then select Application Template from the sub-menu.
4. The Application Template dialog box appears.
5. Use the search box to locate a specific application template or scroll through the available templates.
6. Select one or more application templates (using the Ctrl key).
7. Click OK to add the selected application templates to the application group.
Application templates can also be added from within the Insert Application wizard, by clicking Template. When
you launch an application template from the Insert Application wizard, the template browser only shows the
templates that are for the type of application you are inserting. For more information, see Application Templates
detailed on page 130.
6.12 - Inserting an Application from a Running Process

You can insert an application from a running process.
To insert an application from a running process:

3. Select Insert Application and then select the Running Process from the sub-menu.
4. The Running Process dialog box appears.
5. Select Show processes from all users if you want to select a process from another user’s session.
6. Select the relevant process from the list. Click OK.

47 of 133
Document v.1.0
6.13 - Inserting Applications from Events
The Event Import wizard allows you to search from within any Defendpoint event source, and create application
definitions based on the properties collected by an audit event. The wizard provides a simple and convenient way
to find specific applications based on any or all of the following search criteria:
l Event Source –Where the event has been collected (Local or remote Eventlog, Forwarded Eventlog, or
Enterprise reporting Pack database).
l Event Type – The type of event you are interested in. Choose either: Any application, or choose from one
of the following:
l Applications that performed privileged operations
l Applications that triggered UAC
l Applications that were blocked
l Applications that were launched via the Shell Menu
l Timeframe –The period of time to search for applications. Choose from one of the following:
l From – Pick a range starting from a predefined time period. From here you can also choose
Anytime, to include all events.
l Specific period – Pick an optional From and To date to include events collected during that period
of time.
Once the search criteria has been entered, the wizard will return a list of unique applications that were audited,
matching the criteria you specified. From here you can browse the list (which is grouped by Publisher), or to find a
particular application you can type into the Search publisher \ Description field to instantly filter the list based on the
text you enter.
Applications that are already members of the application group will be highlighted and displayed with a ü.
Once you have found an application or applications, select (or multi-select by holding down the Control or Shift
key while selecting) and then click OK to create new application definitions from your selection.
Once the definitions have been created, you can edit the definition and modify the matching criteria. All matching
criteria will be pre-populated with values collected from the application.
A unique application is based on the product description of the application. So if two or more audited
applications share the same product description, they will be displayed as a single application.

48 of 133
Document v.1.0
6.14 - Inserting Applications from an Event Log
To insert an application from an event log:
3. Select Insert Application and then select Events from the sub-menu. The Event Import wizard appears.
4. Select Event Log and click Next.
5. Select Local Computer to search the local event log, or to browse a remote computer select Remote
Computer and enter the computer name. Click Browse to browse for a computer.
6. Select the event log to browse by choosing Application Event Log or Forwarded Event Log from the
drop-down menu. Click Next.
7. Select an application type by selecting Specific applications and picking a type from the drop-down menu,
or select Any application. Click Next.
8. Select a time period by selecting From and choosing a predefined time period from the drop-down menu.
Alternatively select a Specific period and using the From and To calendars choose the time frame you
want to get details from. Click Next.
9. Scroll through the list and select the application(s) you wish to add, or enter text into the instant search box.
Once you have selected your application(s), click OK to close the wizard and create your new application
definitions.
The Event Import wizard supports the import of events from exported EventLog files (.evtx). To import from
a file, choose Remote Computer and then enter the full path to the file in the computer name field.
6.15 - Inserting Applications from Enterprise Reporting

To insert an application from the Enterprise Reporting database:
3. Select Insert Application and then select Events from the sub-menu. The Event Import wizard appears.
4. Select Avecto database and click Next.
5. Enter the name of the SQL Server instance into Server / Instance.
6. Enter the name of the database into Database Name. A default installation of Enterprise Reporting will
name the database AvectoReporting.
7. Enter the user name and password to access the database into User and Password. Click Next.
8. Select an application type by selecting Specific applications and picking a type from the drop-down menu,
or select Any application. Click Next.
9. Select a time period by selecting Specific period, or select a predefined time period by clicking From.
Click Next.
10. Scroll through the list and select the application(s) you wish to add, or enter text into the instant search box.
Once you have selected your application(s), click OK to close the wizard and create your new application
definitions.
The Event Import wizard supports importing events from a McAfee ePolicy Orchestrator database. To
import from McAfee ePO, enter the SQL Server details of a McAfee ePO database.

49 of 133
Document v.1.0
Chapter 7 - Remote PowerShell
Management
Defendpoint allows you to elevate individual PowerShell scripts and commands which are executed from a remote
machine. This eliminates the need for users to be logged on with an account which has local admin rights on the
target computer. Instead, elevated privileges are assigned to specific commands and scripts which are defined in
application groups, and applied via a workstyle.
PowerShell scripts and commands can be whitelisted to block the use of unauthorized scripts, commands and
cmdlets. Granular auditing of all remote PowerShell activity provides an accurate audit trail of remote activity.
PowerShell definitions for scripts and commands are treated as separate application types, which allows you to
differentiate between pre-defined scripts authorized by IT, and session based ad hoc commands.
In order to allow standard users to connect to a remote computer via Windows Remote Management, or WinRM (a
privilege normally reserved for local administrator accounts), it is necessary to enable the General rule Enable
Windows Remote Management Connections. This rule grants standard users who match the Defendpoint
workstyle the ability to connect via WinRM, and can be targeted to specific users, groups of users, or computers
using workstyle filters.
7.1 - End User Messaging

Defendpoint end user messaging includes limited support for remote PowerShell sessions; block messages can be
assigned to workstyle rules which block remote PowerShell scripts and commands. If a block message is
assigned to a workstyle which blocks a script or command, then the body message text of an assigned message
will be displayed in the remote console session as an error.
7.2 - Remote PowerShell Scripts

From within a remote PowerShell session, a script (.PS1) can be executed from a remote computer against a target
computer. Normally this would require local administrator privileges on the target computer, with little control over
the scripts that are executed, or the actions that the script performs. For example:
Invoke-Command -ComputerName RemoteServer -FilePath c:\script.ps1 –Credential xxx
Defendpoint allows you to target specific PowerShell scripts and assign privileges to the script without granting
local admin rights to the user. Scripts can also be blocked if they are not authorized or whitelisted. All remote
PowerShell scripts executed are fully audited for visibility.
When running a remote PowerShell script you must use the Invoke-Command cmdlet. Defendpoint will not
be able to target PowerShell scripts that are executed from within a remote PowerShell session. Remote
PowerShell scripts must be matched by either a SHA-1 File Hash, or a Publisher (if the script has been
digitally signed).

50 of 133
Document v.1.0
To insert a PowerShell script:
2. Right-click in the applications list in the details pane to access the context menu.
3. Select Insert Application and then select Remote PowerShell Script from the sub-menu. The Insert
Application wizard appears.
4. Enter the path to the PowerShell Script, or use the Browse File button to browse for a PowerShell Script. If
you wish to target any PowerShell script, leave the Select reference script file box empty. Click Next.
5. Enter a description for the PowerShell Script. Click Next.
6. Configure the definitions (detailed below) for the PowerShell Script (by default the Publisher rule will be
selected). Click Next.
7. Click Finish.

PowerShell scripts that contain only a single line will be interpreted and matched as a command, and will fail
to match a PowerShell script definition. It is therefore recommended that PowerShell scripts contain at least
two lines of commands to ensure they are correctly matched as a script. This cannot be achieved by adding
a comment to the script.
7.3 - Remote PowerShell Commands

From within a remote PowerShell session, a user can execute arbitrary commands from a remote computer against
a target computer using cmdlets. Normally this would require local administrator privileges on the target computer,
with little control over the commands that are executed, or the cmdlets that are used. For example:
Get-service -Name *time* | restart-Service –PassThru
Defendpoint allows you to target specific command strings and assign privileges to the command without granting
local admin rights to the user. Commands can also be blocked if they are not authorized or whitelisted. All remote
PowerShell commands are fully audited for visibility.
To insert a PowerShell command:

2. Right-click in the applications list in the details pane to access the context menu.
3. Select Insert Application and then select Remote PowerShell Command from the sub-menu. The Insert
Application wizard appears.
4. Enter the command, or if you want to browse for a list of Cmdlets registered on the local computer to help
enter the command string, click Browse Cmdlets . If you want to target any PowerShell command, leave
the Command box empty. Click Next.
5. Enter a description for the PowerShell command. Click Next.
6. Configure the definitions (detailed below) for the PowerShell command. Click Next.
7. Click Finish.

51 of 133
Document v.1.0
PowerShell removes double quotes from command strings prior to them being transmitted to the target.
Therefore it is not recommended that Command Line definitions include double quotes, as they will fail to
match the command.

52 of 133
Document v.1.0
Chapter 8 - Application Rules
Application rules can be created and edited from a workstyle’s Application Rules tab. If you have a blank
workstyle you can create rules from the workstyle Overview tab.
The Application Rules tab can be used to enforce rules for whitelisting, monitoring and assigning privileges to
groups of applications.
Each rule has a number of elements:
Rule
l Application Group – The application group that the rule is associated with.
l Action – The action that is taken once the rule has been matched.
l End User Message – The message or notification that is displayed to the user when this rule is matched.
l Access Token – Dictates the permissions that are applied to the targeted application. See
https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374909(v=vs.85).aspx
Auditing
l Raise an Event – An event will be logged to the client’s local event log file.
l Run a Script – Allows the creation of script based reports. See Auditing with Custom Scripts detailed on
page 98.
l Privilege Monitoring – Used to monitor and identify which processes are using or require privilege rights.
8.1 - Inserting an Application Rule

To insert an application rule:
1. Select the relevant workstyle in the tree pane.
2. Select the Application Rules tab in the details pane.
3. Right-click in the Application Rules tab and click Insert Application Rule. The Create Application
Rule dialog box appears.
4. Select the relevant application group from Target Application Group > Click to select drop-down menu.
The drop-down menu displays a list of groups available. The top of the list displays Built-in and Generated
groups. Groups created by the user are displayed below. See Built-in Groups detailed on page 111 for more
information.
5. Select the desired Action to either Allow Execution or Block Execution.

6. If you want to prompt the user before the application is executed or blocked then select a message or
notification from Show End User Message. The list shows Allow or Block messages depending on your
choice in the previous step.
7. If you are allowing the application to execute, select the correct access token from Apply Access Token
dependent on the rights you want to assign to the application group. The token can be set using one of the
pre-defined access tokens (or you can define any number of custom tokens, which will appear at the end of
the list of standard options). For more information see Custom Tokens detailed on page 73.

53 of 133
Document v.1.0
This option is only available if you have chosen to Allow the application to execute.
Apply Access Token can be set to one of the following options (or you can define any number of custom
access tokens, which appear at the end of the list of standard options):
l Passive (No Change) – This option allows you to audit the applications in the application group
without modifying the access token.
l Enforce User’s Default Rights – This option will ensure that the applications in the application
group are assigned the user’s default rights.
l Drop Admin Rights – This option will remove local admin rights from the access token for
applications in the application group.
l Add Admin Rights – This option will add local admin rights to the access token for applications in
the application group.
8. If you wish to audit the application rule being matched then select On or On (Anonymous) (does not log the
username) for Raise an Event. This will log events to the local Application Event Log.
9. If you wish to run a custom script when the application rule has been matched, then select On for Run a
Script. See Auditing with Custom Scripts detailed on page 98 for more information.
10. If you wish to audit any privileged activity performed by the executed application then select On for
Privilege Monitoring. See Privilege Monitoring detailed on page 77 for more information.
11. If you have enabled the McAfee ePolicy Orchestrator Integration, then select On for Forward events to ePO.
This option is not available when ePO integration is disabled.
Auditing
If you select On or On (Anonymous) (does not log the username) for Raise an Event then an event will be logged
to the local application event log every time the application rule is matched.
If you select On or On (Anonymous) (does not log the username) for Privilege Monitoring then an event will be
logged to the application event log the first time a process performs a privileged operation (an operation that would
fail under a standard user account) for the selected application group. All privileged activity will also be logged to an
XML file that can later be viewed with the Defendpoint Reporting Console (an MMC snap-in). You can modify
the behavior of privilege monitoring on the Privilege Monitoring tab of the workstyle.

54 of 133
Document v.1.0
Chapter 9 - On-Demand Application Rules
The On-Demand Application Rules tab of the workstyle allows you create rules to launch applications with
specific privileges (usually admin rights), on-demand from a right-click Windows context menu.
9.1 - Enabling On-Demand Integration

To enable on-demand application rules, select the On-Demand Application Rules workstyle tab. The first check
box applies to all versions of Windows that have the Run as administrator option. The second two check boxes
apply to the Classic Windows Shell only. They do not apply to the Windows Modern UI that is available in
Windows 8 and Windows 10.
Windows Modern UI
If an On-Demand application rule is triggered, Defendpoint references the check box labeled Apply the on-
demand application rules to the “Run as administrator”. If the check box is selected, Defendpoint intercepts
the Run as administrator option in the right-click context menu and overrides it. The labeling of the option
doesn’t change in this instance. If the check box is cleared, Defendpoint does not intercept the option to Run as
Administrator.
Defendpoint also references the check box labeled Hide “Run as” and “Run as administrator” commands in
the Classic Shell context menu. If it is selected, these options, where present, are hidden from the right-click
context menu. Defendpoint does not continue process additional application rules.
Windows Classic Shell

If an On-Demand application rule is triggered, Defendpoint references the check box in the Classic Shell Context
Menu Options section labeled Apply custom on-demand option to the Classic Shell context menu (this
won’t affect the “Run as administrator” option). If the check box is selected, Defendpoint adds a new option to
the right-click context menu that you have configured in the Classic Shell Context Menu Option section, for
example 'Run with Defendpoint'.

55 of 133
Document v.1.0
Defendpoint also references the check box labeled Hide “Run as” and “Run as administrator” commands in
the Classic Shell context menu. If it is selected, these options, where present, are hidden from the right-click
context menu. Defendpoint does not continue to process additional application rules.
Unlike Application rules, the On-Demand rules list will only receive the assigned privileges if the user
launches a relevant application using the context menu.
9.2 - Managing Languages

The menu option that is displayed can be configured for multiple languages. Defendpoint will detect the regional
language of the end user, and if a message in that language has been configured, the correct translation will be
displayed.
To add a new menu option translation:
1. In the Custom Classic Shell menu option, click ‘…’ on the right-hand side.
2. The Configure Languages dialog box appears.
3. To add a new language, click Add Language.
4. In the Insert Language dialog box, select the correct language and region and click OK.
5. A new entry for the selected language will be added to the list.
6. Double-click the Text to display string to enter your own translation for the selected language.
7. Click OK to finish.
If a language cannot be matched for the region of the end user, then the default language will be displayed. To
change the default language, select the desired language and click Set Default.

56 of 133
Document v.1.0
Chapter 10 - Content Control
Content control allows you to control the accessibility of privileged content. Content groups provide a means of
targeting specific types of content, based on file/folder, drive, or controlling process. Rules determining the
behavior for that content are applied to each content group in a workstyle.
There are two main use cases for applying content control:
To allow standard users to modify privileged content, without having to assign admin rights to either the
user, or the application used to modify the content.
l Content groups can be added to content rules where the content can be assigned admin rights. When this is
done, any user who receives the workstyle can modify matching content without requiring an administrator
account.
To block access to content or directories.

l Content groups can be added to content rules where the ability to open the content can be controlled with a
Block action. When this is done, any user who would normally be able to open and read the content would
be blocked from opening the content.
The following sections explain how to create content groups including content definitions, and how to assign
groups to content rules to apply the specific content control rules that meet your requirements.
10.1 - Creating Content Groups

To create a content group:
2. Select the Content Groups node.
3. Right-click the Content Groups node and then click New Content Group.
A new content group will be created and it will be highlighted so that you can rename it. Press Enter once you have
renamed the content group. You can now add content to the content group.
10.1.1 - Content Group Description

You can set a description for a content group by accessing the content group properties:
1. Select the Content Group in the tree pane.
2. Right-click the Content Group and then click Properties.
4. Click OK.

57 of 133
Document v.1.0
10.1.2 - Inserting Content
To insert a content type:
1. Select the relevant content group.
2. Right-click the content list in the details pane and select Insert File. The Insert Content wizard appears.
3. Enter a file or folder name that you wish to insert. Alternatively, you can browse for a file or folder using the
Browse File and Browse Folder buttons.
4. After selecting a content / file type to insert, click Next.
5. Enter a description for the content and then click Next.
6. Configure the Content Criteria (detailed below) for the content (by default the Match File or Folder Name
rule will be selected).
7. Click Finish.
10.1.3 - Target Content Definitions

The Insert Content wizard provides various content definitions. The Defendpoint client must match every
definition you configure before it will trigger a match (the rules are combined with a logical AND).
The following definitions are available:

l File/Folder
l Drive
l Controlling Process
l Sandboxing Classification
10.2 - Content Rules

The Content Rules tab of the workstyle is where content rules are applied to content groups.
Content rules define the actions Defendpoint will take when content (a file) is opened (double-clicked) by the user.
For more information about content groups, see Creating Content Groups detailed on the previous page.
10.3 - Inserting a Content Rule

To insert a content rule:
1. Select the relevant workstyle in the tree pane.
2. Select the Content Rules tab in the details pane.
3. Right-click in the Content Rules tab and click Insert Content Rule.
4. The Create Content Rule dialog box appears.
5. Select the relevant content group from the Target Content Group > Click to select drop-down menu.
6. Select the desired Action from either Allow Modification or Block Access.
If you have selected the action Block Access, the Apply Access Token option will be disabled.
7. If you want to prompt the user before the content is modified or blocked then select a message or
notification from the Show End User Message drop-down menu.

58 of 133
Document v.1.0
8. You must define one or more messages or notifications before you can assign an end user message. If you
do not want to prompt the user with a message or notification, then select Off. For more information see End
User Messaging detailed on page 62.
9. If you are allowing the content in the selected content group to be modified, select the correct access token
from the Apply Access Token drop-down menu.
Apply Access Token can be set to one of the following options (or you can define any number of custom
access tokens, which will appear at the end of the list of standard options):
l Passive (No Change) – This option allows you to audit the file types in the content group without
modifying the access token.
l Enforce User’s Default Rights – This option ensures that the file types in the content group are
assigned the user’s default rights.
l Drop Admin Rights – This option removes local admin rights from the access token for file types in
the content group.
l Add Admin Rights – This option adds local admin rights to the access token for file types in the
content group.
10. If you want to audit the content rule being matched then select On for Raise an Event. This logs events to
the local Event Log.
11. If you want to run a custom script when the content rule has been matched, then select On for Run a
Script. For more information on auditing and reporting, see Auditing and Reporting detailed on page 95.
If you select On or On (Anonymous) (does not log the username) for Raise an Event then an event will be logged
to the event log every time a process launches for the selected content group.
The Summary View and Detail View can be used to show information about your content group entries in either
graphical form or in table form.

59 of 133
Document v.1.0
Chapter 11 - General Rules
The General Rules tab of the workstyle provides additional configuration settings for the features detailed in the
following sections.
These rules can be enabled or disabled, after a workstyle has been created, from the General Rules tab.
11.1 - Prohibit Privileged Account Management

This rule, when enabled, blocks users from modifying local privileged group memberships. This prevents real
administrators, or applications which have been granted administrative rights through Defendpoint from adding
AND/OR removing AND/OR modifying a privileged account.
The list of local privileged groups that are prohibited from modification when this rule is enabled is:
l Built-in administrators
l Power users
l Account operators
l Server operators
l Printer operators
l Backup operators
l RAS servers group
l Network configuration operators
This rule provides three options:

l Not Configured – This workstyle will be ignored.
l Enabled – The user will not be able to add, remove or modify user accounts in local privileged groups.
l Disabled – Default behavior based on the users rights or those of the application.
11.2 - Collect User Information

This rule, when enabled will raise an audit event each time a user logs on to the client machine. The audit event will
collect the following information which is reported through the Enterprise Reporting pack:
l Logon Time – The date and time the user logged on.
l Is Administrator – The client will check whether the user account has been granted local administrator
rights either directly or through group membership.
l Session Type – The type of logon session, for example, console, RDP, ICA.
l Session Locale – The regional settings of the user session / profile
l Logon Client Session Hostname – The hostname of the client the user is logging on from. This will either
be the local computer (for Console sessions) or the remote device name (for remote sessions).
l Logon Client Session IP Address – The IP address of the client the user is logging on from. This will
either be the local computer (for console sessions) or the remote device name (for remote sessions).
For more information on user information reporting, refer to the AvectoDefendpoint Reporting guides.

60 of 133
Document v.1.0
11.3 - Collect Host Information
This rule, when enabled will raise an audit event on computer start-up or when the Defendpoint Client service is
started. The audit event will collect the following information which is reported through the Enterprise Reporting
pack:
l Instance ID – A unique reference identifying a specific service start event.

l OS Version – The name and version of the operating system, including service pack.
l Chassis Type – The type of chassis of the client, for example, workstation, mobile, server, VM.
l Language – The default system language.
l Location – The current region and time zone of the device.
l Client Version – The version of the Defendpoint Client.
l Client Settings – The type of installation and current settings of the Defendpoint Client.
l System Uptime – Time since the computer booted.
l Unexpected Service Start - Only added if the service has unexpectedly started (that is, a previous start
was not proceeded by a service stop).
An additional event will be raised when the computer shuts down, or when the Defendpoint Client service is
stopped:
l Instance ID – A unique reference identifying the last service start event.

l Computer Shutdown – Value identifying whether the service stopped as part of a computer shutdown
event.
This option is only available in policies set under the Computer Configuration Group policy.
For more information on computer information reporting, refer to the Avecto Defendpoint Reporting guides.
11.4 - Windows Remote Management Connections

This rule, when enabled, authorizes standard users who match the workstyle to connect to a computer remotely via
WinRM, which would normally require local administrator rights. This general rule supports remote PowerShell
command management, and must be enabled in order to allow a standard user to execute PowerShell scripts
and/or commands.
See Remote PowerShell Management detailed on page 50 for more information on configuring remote
PowerShell.
In order to allow remote network connections, you may be required to enable the Windows Group Policy
setting access this computer from the network. For more information, see: http://technet.microsoft.com/en-
us/library/cc740196(v=WS.10).aspx

61 of 133
Document v.1.0
Chapter 12 - End User Messaging
You can define any number of end user messages and notifications. Messages and notifications are displayed
when a user’s action triggers a rule (application / on-demand or content rule). Rules can be triggered by an
application launch or block or when content is modified.
Messages provide an effective way of alerting the user before an action is performed. For example, before
elevating an application or allowing content to be modified, or advising that an application launch or content
modification has been blocked.
Messages give the user information about the application or content, the action taken, and can be used to request
information from the user. Messages also allow authorization and authentication controls to be enforced before
access to an application is granted.
Messages are customizable with visual styles, corporate branding and display text, so you are offered a familiar
and contextual experience. Messages are assigned to application rules and content rules. A message will display
different properties depending on which of these targets it is assigned to. To view the differences a Preview option
allows you to toggle between the Application Preview and the Content Preview. This is available from the
Preview drop-down menu located in the top-right corner of the details pane.
Once defined, a message may be assigned to an individual rule in the Application Rules tab by editing the rule.
Depending on the type of workstyle you’ve created, Defendpoint may auto-generate certain messages for you to
use.
12.1 - Creating Messages

To create a message:
1. Select the Messages node.
2. Right-click the Messages node and select New Message.
3. The New Message wizard appears.
4. Select a message template from either the Use a Message Box template or Use a Notification (balloon)
template drop-down menus.
Messages can be interactive (the user may be asked to input information before an action occurs).
Notifications are descriptive (displaying information about an action that has occurred).
5. Click Next.
6. Customize the message (more advanced message configuration can be performed after the message has
been created).
7. Click Finish.
A new message will be created under the Messages node. You can rename the message by double-clicking on the
message name.
You may now further refine the message by selecting it and editing the properties which are displayed in the right-
hand pane under the Message Design and the Message Text tabs.

62 of 133
Document v.1.0
12.1.1 - Message Name and Description
You can set a description for a message by accessing the properties for a message:
1. Right-click the Message in the tree pane and select Properties.

3. Click OK.
12.1.2 - Message Design

Messages have a wide array of configuration options, which are detailed below.
As you change the various message options the preview message will automatically be updated. To test the
message box, use the preview facility (program and content information will contain appropriate placeholders).
Once you have configured the message options you should configure the Message Text for the message, which
includes full multi-lingual support.
Miscellaneous Settings
l Show message on secure desktop – Select this option to show the message on the secure desktop. This
is recommended if the message is being used to confirm the elevation of a process, for enhanced security.
Message Header Settings

l Header Style – Select the type of header, which can be No header, Defendpoint, Warning, Question or
Error.
l Show Title Text – Determines whether to show the title text.
l Text Color – Select the color for the title text (the automatic color is based on the Header Style).
l Background Type – Set the background of the header, which can be Solid background, Gradient
background or Custom image. (The default Background Type is Custom Image making the Color 1 and
Color 2 options initially unavailable).
l Color 1 – Select the color for a Solid background or the first color for a Gradient background (the
automatic color is based on the Header Style).
l Color 2 – Select the second color for a Gradient background (the automatic color is based on the selected
Header Style).
l Custom Image – Select the image for a Custom image background. This option is only enabled if you
have selected Custom Image for the Background Type. Click the “…” button to import, export, modify or
delete images using the Image Manager.
Message Body Settings

The Message Body Settings display specific information about the program or content. . These can be configured
on the Message Text tab; they can display Automatic default values or Custom values. The Automatic default
values are:
l Show Line One – The Program Name or the Content Name .

l Show Line Two – The Program Publisher or the Content Owner.
l Show Line Three – The Program Path or the Content Program.

63 of 133
Document v.1.0
Custom values are configured on the Message Text tab.
l Show reference Hyperlink – This option determines whether to show a hyperlink in the message below the
body settings (the hyperlink is configured on the Message Text tab).
User Reason Settings

This option determines whether to prompt the end user to enter a reason before an application launches (Allow
Execution message type) or to request a blocked application (Block Execution message type).
l User Reason Type – Select between Text box and Drop-down list. Text box allows users to write a
reason or request. The Drop-down allows users to select a pre-defined reason or request from a drop-down
menu. The pre-defined drop-down entries can be configured on the Message Text tab.
l Remember User Reasons (per-application) – Reasons are stored per-user in the registry.
User Authorization
l Authorization Type – Set this option to User must authorize to force the user to re-authenticate before
proceeding. If you want to use this option for over the shoulder administration, then set this option to
Designated user must authorize.
l Authentication Method – Set this option to Any to allow authentication using any method available to the
user. If you want to enforce a specific authentication method, then set to either Password only or Smart
card only.
If you select a method that is not available to the user, then the user will be unable to authorize the
message.
l Designated Users – If the Authorization Type has been set to Designated user must authorize then
click the “…” button to add one more user accounts or groups of users that will be allowed to authorize the
message.
l Run application as Authorizing User – If the Authorization Type has been set to Designated user
must authorize then this option determines whether the application runs in the context of the logged on
user or in the context of the authorizing user. The default is to run in the context of the logged on user as
opposed to the authorizing user.
When Run application as Authorizing User is set to Yes, then Defendpoint will attempt to match a
workstyle of the same type (application rule or on-demand rule) for the authorizing user. If no workstyle is
matched, then Defendpoint will fall back to the original user workstyle.

64 of 133
Document v.1.0
Challenge / Response Authorization
l Enabled – Set this option to Yes to present the user with a challenge code. In order for the user to proceed,
they must enter a matching response code. Note that when this option is enabled for the first time, you will
be requested to enter a shared key. For more information, see Challenge / Response Authorization
detailed on page 68.
l Authorization Period (per-application) – Set this option to determine the length of time a successfully
returned challenge code is active for. Choose from:
l One use Only – A new challenge code is presented to the user on every attempt to run the
application.
l Entire Session – A new challenge code is presented to the user on the first attempt to run the
application. After a valid response code has been entered, the user will not be presented with a new
challenge code for subsequent uses of that application until they next log on.
l Forever – A new challenge code is presented to the user on the first attempt to run the application.
After a valid response code has been entered, the user will not be presented with a new challenge
code again.
l As defined by helpdesk – A new challenge code is presented to the user on the first attempt to run
the application. If this option is selected them the responsibility of selecting the authorization period
will be delegated to the helpdesk user at the time of generating the response code. The helpdesk user
will be given the ability to select one of the three above authorization periods. After a valid response
code has been entered, the user will not receive a new challenge code for the duration of time
specified by the helpdesks.
l Suppress messages once authorized – If the Authorization Period has not been set to One Use Only
the Suppress messages once authorized option is enabled and configurable.
l Show Information tip – This option determines whether to show an information tip in the challenge box. To
configure the text of the information tip, see Message Text detailed on the next page.
l Maximum Attempts – This option determines how many attempts the user has to enter a successful
response code for each new challenge. Set this option to Three Attempts to restrict the user to three
attempts, otherwise set this option to Unlimited.
After the third failure to enter a valid response code, the message will be canceled and the challenge code
will be rejected. The next time the user attempts to run the application, they will be presented with a new
challenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.
Authorization Settings
If Authorization Type has been set to Designated user must authorize this field becomes active. It allows you
to choose between either:
l Yes – Both required – Both the challenge / response and the designated user credentials are required.
l No – Either one sufficient – Either the challenge / response or the designated user credentials are
required.

65 of 133
Document v.1.0
Email Settings
The email settings are only enabled for blocking messages.
l Allow user to email an application request – Select this option to allow the user to email a request to run
an application (only available for the Block Execution message type).
l Mail To – Email address to send the request to (separate multiple email addresses with semicolons).
l Subject – Subject line for the email request.
The Mail To and Subject fields can include parameterized values, which can be used with email based automated
helpdesk systems. For help with using parameters, see Workstyle Parameters detailed on page 123.
12.1.3 - Message Text

All of the text in the message can be configured in the Message Text section, which includes support for any
number of end user languages.
As you change the message text the preview message will automatically be updated, based on the selected
language. To test the message box, click the preview message (any program or content information will contain
placeholders).
Setting the Message Text

We highly recommended that you change the default text strings, as many are simply placeholders, and all are
defined in English.
To set the message text strings, select the relevant language in the languages list and edit the text values in the
text property grid.
The text in any text string can include parameterized values which provide more personalized messages for users.
For help with using parameters, see Workstyle Parameters detailed on page 123.
Changing the Pre-Defined Drop-down User Reasons

If you want to change the pre-defined user reasons available from the Message Box drop-down menu:
1. Select the User Reason List field.

2. Click the ‘…’ button to the right. The Approved Reasons dialog box appears.
3. Use the Add and Remove buttons to edit the Approved Reasons.
Changing the Message Text for Buttons

Depending on the message options the message box will have either one or two buttons:
l For a prompt the message box will have OK and Cancel buttons.
l For a blocking message with Allow user to email an application request enabled the message box will
have OK and Cancel buttons. It is highly recommended you change the OK button text to be “Email”,
unless you make it clear in the message text that the OK button will send an email request.
l For a blocking message with Allow user to email an application request disabled the message box will
only have an OK button.
You can change the OK Button and Cancel Button text. For instance, you can change it to “Yes” and “No” if you
are asking the end user a question.

66 of 133
Document v.1.0
l Buttons
l OK Button
l Cancel Button
12.1.4 - Managing Languages

By default, a single language is defined (English) with a set of default text strings. You may add additional
languages as follows:
1. Click in the languages drop-down menu and click Add a Language.

2. The Insert Language dialog box appears.
3. Select the relevant language (and region) from the drop-down menu and click OK.
If you have more than one language then you can set the default language. This is the language that will be used if
an end user is using a language that has not been defined. The default language is set to English, but you may
change the default language:
1. Select the language you want to set as the default language.

2. Click Make this the default language.
If you delete a language that has been set to the default language then the language at the top of the language
list is set to the default language. You must always have at least one language defined.
12.1.5 - Image Manager

The Image Manager associated with message creation allows you to Add, Modify, Export and Delete images that
are referenced in message headers.
All images are stored inside the workstyles as compressed and encoded images.
It is strongly recommended that you delete any unused images to minimize the size of the policies, as Defendpoint
does not automatically delete unreferenced images.
The Image Manager is only accessible when the Background Type field on the Message Design tab is set to
Custom Image. The Custom Image field is enabled. Click the ‘…’ button to the right. The Manage Images dialog
box appears.
To add an image to a message:

1. Click Add.
2. The Image Properties dialog box appears.
3. Click Import.
4. Browse for an image and click Open.
5. Set a description for the image.
6. Click OK.

67 of 133
Document v.1.0
To modify an image:
1. Select the image in the list and click Modify.
2. The Image Properties dialog box appears.
3. Click Import.
4. Alter the description and click OK.
To export an image:
1. Select the image in the list and click Export.
2. Browse to a folder and click Save.
To delete an image:
1. Select the image in the list and click Delete.
2. When prompted, click Yes to delete the image.
If an image is referenced by any messages then you will not be allowed to delete it.
12.1.6 - Challenge / Response Authorization

Challenge / Response authorization provides an additional level of control for access to applications and privileges,
by presenting users with a 'challenge' code in an end user message. In order for the user to progress, they must
enter a corresponding 'response' code into the message.
Challenge / Response authorization is configured as part of an end user message, and can be used in combination
with any other authorization and authentication features of Defendpoint messaging.
Authorization is applied per user, per application, meaning that each user will be presented with challenge codes
which, when authorized, will only apply to them. Likewise, each unique application requiring challenge / response
authorization will present the user with a different, unique challenge code.
Challenge and response codes are presented as an 8 digit number, which is ideal for verbal communication with a
telephone helpdesk, and minimizes the chance of incorrect or accidental entry.
When a user is presented with a challenge code, the message may be canceled without invalidating the code. If the
user runs the same application, they will be presented with the same challenge code. This allows users to request
a response code from IT helpdesks, which may not be immediately available to provide a response.
For more information on configuring challenge / response authorization enabled end user messages, see Message
Design detailed on page 63.

68 of 133
Document v.1.0
There are two main configuration options available for how challenge codes are presented to users:
l Authorization Period (per-application) – For each application, challenge codes can be optionally
presented to a user for One Use Only, Entire Session, Forever or As defined by helpdesk, depending
on the level of control and flexibility you want to apply to the user and application.
l Maximum Attempts – This option determines how many attempts the user has to enter a successful
response code for each new challenge. There are two options available, Unlimited which will allow the user
to try entering the response code an unlimited number of times, or Three Attempts which will only allow a
maximum of three attempts to enter a correct response code before the message is cancelled and the
challenge code is invalidated.
If a challenge code is invalidated due to excessive failed attempts, the user will be presented with a new
challenge code the next time they attempt to run the application. Failed attempts are remembered even if the
user clicks Cancel between attempts
It is recommended that Three Attempts is enabled to prevent the user from attempting to guess response
codes through brute force retries.
For more information on configuring challenge / response authorization enabled end user messages, see Message
Design detailed on page 63.
Shared Key
The first time you create a Defendpoint end user message with a challenge you are asked to create a shared key.
The shared key is used by the Defendpoint Client to generate challenge codes at the end point. The shared key is
also required to generate the response code to match a challenge code created with the same key.
Once you have entered a shared key, it will be applied to all end user messages that have challenge / response
authorization enabled in the same Defendpoint Settings.
To change the shared key:

1. Right-click the Defendpoint Settings node and choose Set Challenge / Response Shared Key.
2. In the Challenge / Response Shared Key dialog box, edit the Enter Key and Confirm Key with the new
shared key.
3. Click OK to complete. If the keys entered don't match, you will be presented with a warning message.
We recommend that your shared key is at least 15 characters and includes a combination of alphanumeric,
symbolic, upper, and lowercase characters. As a best practice, the shared key should be changed
periodically.
Generating a Response Code

Response codes are generated using PGChallengeResponseUI.exe, which is installed as part of the
Defendpoint Policy Editor installation, and is located in the following directory:
C:\Program Files\Avecto\Privilege Guard Management Consoles\

69 of 133
Document v.1.0
To generate a response code using the PGChallengeResponseUI utility:
1. Run the program PGChallengeResponseUI.exe.
2. In Enter shared key, enter the shared key you defined earlier, and in Enter challenge code, enter the
challenge code presented to the user.
3. The response code will automatically be displayed once both the Shared Key and the 8 character challenge
code have been entered.
The Generated Response value is then entered into the End User Message which presented the corresponding
challenge.
PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the Defendpoint
Policy Editor.
Generating a Response Code from the Command Line
Response codes can also be generated from the command line using the PGChallengeResponse.exe command
line utility, which is installed as part of the Defendpoint Policy Editor installation, and is located in the following
directory:
C:\Program Files\Avecto\Privilege Guard Management Consoles\
To generate a response code from the command line:

1. Open the Command Prompt by clicking the Start Menu and typing cmd.exe.
2. In the Command Prompt, type the following command, then press Enter: cd "\program
files\avecto\privilege guard management consoles"
3. Once you have opened the privilege guard management consoles directory, type the following
command (where <challenge> is the challenge code presented to a user):
pgchallengeresponse.exe <challenge>
4. At the Shared Key prompt, enter the correct shared key, then press Enter.
PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the Defendpoint
Policy Editor.
Automating Response Code Generation
The PGChallengeResponse.exe utility supports full command line use, allowing it to be easily integrated into
any third party workflow that supports the execution of command line executables. The command line is as
follows:
PGChallengeResponse.exe <challenge code> <shared key>
Where <challenge code> is the code presented to the user and <shared key> is the key that was configured
within the Defendpoint Settings which presented the end user message.
The utility will return the response code as an exit code, so it can be captured from within a custom script or
wrapper application. Below is an example VBScript:
Dim WshShell, oExec

Dim strChallenge,strKey,strExecutable

70 of 133
Document v.1.0
strExecutable = "C:\Program Files\Avecto\Privilege Guard Management
Consoles\PGChallengeResponse.exe"
strChallenge = InputBox("Enter Challenge Code","Challenge")
strKey = InputBox("Enter Shared Key","Key")
Set WshShell = WScript.CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(strExecutable & " " & strChallenge & " " & strKey)
Do While oExec.Status = 0
WScript.Sleep 100
Loop
msgbox "Response Code: " & oExec.ExitCode
Set WshShell = Nothing
Set oExec = Nothing
12.1.7 - Challenge Response Designated User Option

Challenge / Response provides an additional level of control for access to applications and privileges.
An extra aspect of this feature is Designated User authorization. When this option is enabled a designated user
such as a system administrator can authorize the elevation in place of (or in addition to) a Challenge Response
code.
For more information on Designated User settings see the Authorization Settings section of Challenge Response
Designated User Option detailed above.
12.2 - Message Notifications

Message notifications allow information about workstyle actions to be communicated to users in an unobtrusive
manner. When enabled for a workstyle, actions performed can show a notification, which can be dismissed by the
user or will disappear after a short period.
Message notification text is fully customizable, so that users are given concise, yet relevant information about the
action performed. As you change the text properties the preview notification will automatically be updated.
Message notifications are displayed either as a systray bubble (Windows 7 and older operating systems), or as a
Toast notification (Windows 8).
12.2.1 - Setting the Notification Text

It is highly recommended that you change the default text strings, as they are only placeholders, and all are defined
in English.
To set the notification text strings, select the relevant language in the languages list and edit the text values in the
text property grid.
Message notifications are not supported for SYSTEM processes.

71 of 133
Document v.1.0
12.2.2 - Setting ActiveX Message Text
When Defendpoint is configured to elevate the installation of an ActiveX control, a built-in progress dialog box of
the installation process appears.
The following text strings can be set:
l Title – The title text of the progress dialog box.

l Download Message – The text displayed during the download phase.
l Install Message – The text displayed during the installation phase.
l Cancel Button – The text displayed for the button that cancels the ActiveX installation.
The display text can be configured for multiple languages. Defendpoint will detect the regional language of the end
user, and if ActiveX strings in that language have been configured, the correct translation will be displayed.
To set the ActiveX message text:

1. Right-click the Messages node and select Manage ActiveX Message text.
2. The Configure Languages dialog box appears.
3. To edit the text for an existing language, double-click the text under Text to display. To add a new
language, click Add language.
4. Once you have finished editing the ActiveX text strings, click OK to finish.
If language settings for the region of the end user have not been configured, then the default language text
will be displayed. To change the default language, select the desired language and click Set Default.

72 of 133
Document v.1.0
Chapter 13 - Custom Tokens
Access tokens (and custom tokens) are assigned to an application, or when content is being edited, to modify the
privileges of that activity. Within an access token is a collection of settings that specify the group memberships,
associated privileges, integrity level and process access rights. Defendpoint includes a set of built-in access
tokens that can be used to add administrator rights, remove administrator rights, or enforce the users default
privileges. A ‘passive’ access token is also available that does not change the privileges of the activity, but still
applies anti-tamper protection.
Access tokens are assigned to applications or content through rules within a workstyle. For more advanced
configurations, custom tokens can be created where group memberships, privileges, permissions and integrity can
be manually specified. You can optionally define any number of custom tokens.
13.1 - Creating Custom Tokens

To create a new custom token:
2. Expand and select the Custom Tokens node.
3. Right-click the Custom Tokens node and then click New Custom Token.
4. The New Token wizard appears.
5. Select a token type.
6. If you have not selected a blank token then click Next and you will be presented with the default privileges
for the token type, which you may modify. For a token that adds administrator rights, privileges are added to
the token. For a token the removes administrator rights, privileges are removed from the token.
7. Click Finish to exit the wizard.
The new custom token is displayed beneath the Custom Tokens node. Right-click the new token and choose
Rename to enter a new name. .
You may now define the Groups, Privileges, Integrity Level and Process Access Rights for the custom token.
Custom Token Description
You may set a description for a custom token by accessing the properties:
1. Select the Custom Token in the tree pane.
2. Right-click the Custom Token and then click Properties.
4. Click OK.
13.2 - Editing Custom Tokens

13.2.1 - Groups
The Groups section of the custom token specifies the groups that will be added or removed from the token.
To insert a group:
1. Select the relevant custom token.
2. Right-click in the groups list and click Add a new account.

73 of 133
Document v.1.0
3. The Select Groups dialog box appears.
4. Enter the relevant groups and click Check Names to validate the names or alternatively click Advanced to
browse for groups.
5. Click OK.
6. By default, when you insert a group the Add check box is selected, and the group will be added to the
custom token. If you want to remove the group from the custom token then select the Remove check box
for the relevant group.
7. Domain and well known groups will display a Security Identifier (SID). The SID will be used by the
Defendpoint Client, which will avoid account lookup operations. For local groups the name is used by the
Defendpoint Client, and the SID is looked up when the custom token is created by the client. Local
Account appears in the SID column of the groups list for local groups.
Setting the Token Owner

By default, the owner of a custom token that includes the administrators group will have the owner set to the
administrators group. If the administrators group is not present in the custom token then the user is set as the
owner.
If you want the user to be the owner, regardless of the presence of the administrators group, then select the Ensure
the User is always the Token Owner check box.
Anti-Tamper Protection
By default, Defendpoint prevents elevated processes from tampering with the files, registry and service that make
up the client installation. It also prevents any elevated process from reading or writing to the local Defendpoint
policy cache.
If you want to disable anti-tamper protection, then clear the Enable anti-tamper protection check box.
Under normal circumstances, this option should remain enabled, except in certain scenarios where elevated
tasks require access to protected areas. For instance, if you are using an elevated logon script to update the
local Defendpoint policy.

74 of 133
Document v.1.0
13.2.2 - Privileges
The Privileges section of the custom token specifies the privileges that will be added to or removed from the
custom token.
If you want to add a privilege to the custom token then select the Add check box for the relevant privilege.
If you want to remove a privilege from the custom token then select the Remove check box for the relevant
privilege.
To clear, add or remove multiple privileges, select the relevant privileges and then right-click to access the context
menu. Select Reset Privilege, Add Privilege or Remove Privilege respectively.
To add or remove the privileges associated with an administrator, select Add Admin Privileges or Remove
Admin Privileges respectively.
To clear all of the privileges in the custom token before applying privileges, select the Remove all existing
privileges in access token before applying privileges check box. If this check box is left cleared then the
privileges are added or removed from the user’s default custom token.
13.2.3 - Integrity Level

The Integrity Level section of the custom token specifies the integrity level for the custom token.
To set the integrity level:

1. Select the Set the integrity level in Custom Token option button.
2. Set the appropriate integrity level with the slider.
The integrity level should be set as follows:
Integrity Level Description

System Included for completion and should not be required
High Set the integrity level associated with an administrator
Medium Set the integrity level associated with a standard user
Low Set the integrity level associated with protected mode (an application may fail
to run or function in protected mode)
Untrusted Included for completion and should not be required
13.2.4 - Process Access Rights

The Process Access Rights section of a custom token allows you to specify which rights other processes will
have over a process launched with that custom token.
Tokens that include the administrators group have a secure set of access rights applied by default, which will
prevent code injection attacks on elevated processes initiated by processes running with standard user rights in the
same session.

75 of 133
Document v.1.0
Adding or Removing an Access Right
If you want to add an access right to the custom token, select the check box for the relevant access right.
If you want to remove an access right from the custom token, clear the checkbox for the relevant access right .
To add or remove multiple access rights, select the relevant access rights and then right-click to access the
context menu. Select Add Right or Remove Right respectively.
To reset all access rights to the most secure setting, select Reset all to default.
The access rights should be set as follows:
Access Rights Description

GENERIC_HEAD Read access.
PROCESS_CREATE_PROCESS Required to create a process.
PROCESS_CREATE_THREAD Required to create a thread.
PROCESS_DUP_HANDLE Required to duplicate a handle using DuplicateHandle.
PROCESS_QUERY_INFORMATION Required to retrieve certain information about a process, such as its
token, exit code, and priority class
PROCESS_QUERY_LIMITED_ Required to retrieve certain information about a process
INFORMATION
PROCESS_SET_INFORMATION Required to set certain information about a process, such as its priority
class
PROCESS_SET_QUOTA Required to set memory limits using SetProcessWorkingSetSize
PROCESS_SUSPEND_RESUME Required to suspend or resume a process
PROCESS_TERMINATE Required to terminate a process using TerminateProcess
PROCESS_VM_OPERATION Required to perform an operation on the address space of a process
PROCESS_VM_READ Required to read memory in a process using ReadProcessMemory
PROCESS_VM_WRITE Required to write to memory in a process using
WriteProcessMemory
READ_CONTROL Required to read information in the security descriptor for the object,
not including the information in the SACL
SYNCHRONIZE Required to wait for the process to terminate using the wait functions

76 of 133
Document v.1.0
Chapter 14 - Advanced Configuration
Settings
14.1 - Privilege Monitoring
Defendpoint has the ability to monitor the behavior of specific privileged applications and processes, a feature
called privilege monitoring. Privilege monitoring is enabled as an auditing option in the properties of an application
rule or an on-demand application rule. When enabled, Defendpoint records all privileged operations performed by
the application or process that would fail under a standard user account. These include file operations, registry
operations, and any interactions with other components such as Windows services.
The application must be running under a privileged account, such as an administrator or power user. Alternatively
an application could be running with elevated privileges because you have added it to the Application Rules or
On-Demand Application Rules section of the workstyle and assigned it to run with admin rights.
Privilege monitoring logs are recorded on each endpoint, and the logs can be accessed using the Defendpoint
Reporting MMC snap-in. The configuration of privilege monitoring logs is applied to each workstyle.
For more information about privilege monitoring contact your Avecto consultant.
14.1.1 - Workstyle Options

To edit the advanced options for a workstyle:
1. Expand the Workstyles node and select the relevant workstyle.

2. Right-click on the selected workstyle and click Edit Workstyle Options.
3. The Workstyle Options dialog box appears.
4. Configure the monitoring options (see below).
5. Click OK.
14.1.2 - Events
l Log Monitoring Event to Application Event Log – This option will log an event to the application event
log, the first time an application performs a privileged operation.
l Log Cancel Events (when user cancels message) – This option will raise an event when a user cancels
an end user message , either by clicking the Cancel button, Email button, or a hyperlink. The action
performed by the user is available as a policy parameter [PG_ACTION], which can be used by the script to
perform different audit actions based on the user interaction.

77 of 133
Document v.1.0
14.1.3 - Privilege Monitoring Log Files
The following Privilege Monitoring Log Filesoptions are available:
l Log Application Activity to Log Files – This option will enable logging of privileged activity to log files.
The activity level can be set with the activity slider:
l Application Summary – This option only logs information about the application.
l Application Summary and Activity – This option logs information about the application and unique
privileged activity (default option).
l Application Summary and Detailed Activity – This options logs information about the application
and all privileged activity.
l Maximum Activity Records Per Process – This option determines the maximum number of records that
will be recorded per process (default 100).
l Keep Application Activity Logs for – This option determines how long activity logs are kept before they
will be purged (default 14 days).
If Log Application Activity to Log Files is enabled then privilege activity is logged to XML files that can later be
viewed with the Defendpoint Reporting Console (an MMC snap-in). See Defendpoint Reporting Console
detailed on page 100 for more information.
14.2 - Signing Defendpoint Settings

The Defendpoint Settings may be digitally signed and the Defendpoint Client can either enforce or audit the loading
of signed settings.
14.2.1 - Creating and Editing Signed Settings

In order to digitally sign Defendpoint settings, a PFX file containing an appropriate certificate and private key must
be supplied, alongside the corresponding password for the PFX file.
For settings to be correctly signed, the certificate must have an OID that is specific to Avecto Defendpoint.
The chain of trust and revocation status is also checked by the client. If the settings have been tampered
with since signing then the settings will also fail the signing check.
For more information about creating certificates suitable for use with Defendpoint , please refer to Signing
Defendpoint Settings with Certificates detailed on page 118.
To digitally sign the Defendpoint Settings:

1. Select the Defendpoint Settings node.
2. Right-click and select Digitally Sign.
3. The Digitally sign your Defendpoint Settings wizard appears.
4. Check Sign the settings with the following private key option.
5. Click the Select key button and browse for the PFX file that contains your digital certificate.
6. Enter the password for the PFX file.
7. Click Finish.

78 of 133
Document v.1.0
To remove the digital signature from the Defendpoint Settings:
2. Right-click and click Digitally Sign.
3. The Digitally sign your Defendpoint Settings wizard appears.
4. Select the Do not sign the settings option.
5. Click Finish.
Once the Defendpoint Settings have been digitally signed, the Defendpoint Policy Editor will prompt the
administrator for the corresponding PFX password when the settings are opened.
To modify the signed settings, you must enter a valid password for the PFX. Alternatively, you can select to
remove the certificate from the settings, or open the settings in Read Only mode. Canceling this prompt
automatically opens the settings in Read Only mode.

79 of 133
Document v.1.0
14.2.2 - Defendpoint Client Certificate Mode
The Defendpoint Client will verify the certificate on any signed settings that it loads, regardless of where those
settings originate. The verification process includes:
l Checking that the contents of the settings have not been altered.
l Establishing a chain of trust.
l Checking that the certificate used to sign the settings contained the Defendpoint configuration Signing OID
in its Enhanced Key Usage extension.
l Checking for revocation where network connectivity allows.
Should the signature verification process fail for any reason, the course of action that is taken will depend upon the
mode of operation. There are three modes of operation within the Defendpoint Client. The mode is set via a
command line option during installation:
l 0 – Standard Mode
The loading of unsigned settings will be audited as information events (event 200). Signed settings will be audited
as information events (event 200) if they are correctly signed and as warning events (event 201) if they are
incorrectly signed.
The Defendpoint Client is installed in Standard Mode by default.
l 1 – Certificate Warning Mode

The loading of unsigned settings will be audited as warning events (event 201). Signed settings will be audited as
information events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectly
signed.
l 2 – Certificate Enforcement Mode

Unsigned or incorrectly signed settings will not be loaded and audited as error events (event 202). Signed settings
will be audited as information events (event 200) if they are correctly signed.
14.2.3 - Client Installation Mode Parameters
Parameter Description
CERT_MODE=0 Standard Mode
CERT_MODE=1 Certificate Warning Mode
CERT_MODE=2 Certificate Enforcement Mode
For example, to install the client MSI package silently in Certificate Warning Mode, use the following command line
(the syntax must be copied exactly):
MSIEXEC.exe /i DefendpointClient.msi –qn CERT_MODE=1
To install the client executable silently in Certificate Warning Mode, use the following command line (the syntax
must be copied exactly):
DefendpointClient.exe /s /v“ /qn CERT_MODE=1”

80 of 133
Document v.1.0
14.2.4 - Behavior when Failing to Verify Policy Certificate
When using signed Defendpoint Settings, timely certificate revocation enforcement may be desired. This scenario
is most common for clients unable to reach the CRL source since they are off the corporate network for extended
periods of time.
By default the Defendpoint Client will allow certificates whose revocation may not be confirmed via Microsoft
Crypto APIs from either cached information, or directly from the CRL source.
The following registry configuration may be used to change the default behavior:
HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client\

DWORD “CRLNetworkErrorFailOpen” = 0
Failure to retrieve CRL is deemed an error and policy will not be loaded
DWORD “CRLNetworkErrorFailOpen” = 1
Failure to retrieve CRL is deemed a warning and policy will still be loaded. This is the default behavior if this registry
setting has not been configured.
The CRL is cached when downloaded and honored until its Time To Live (TTL) has expired (standard Microsoft
CryptoAPI behavior). The Certificate Authority may be configured according to requirements, Microsoft Group
Policy provides centralized configuration in this area. Security and usability need to be balanced according to your
organization's risk tolerance.
Prior settings from the same source type (GPO, HTTP, etc) will be deleted before the newly acquired
settings are verified. This could lead to no policy in effect on the endpoint in the case that invalid settings are
delivered, and no valid settings from other sources are in place.
14.3 - Advanced Agent Settings

The Advanced Agent Settings section allows you to configure and deploy additional registry based settings to
Defendpoint Clients. To configure advanced settings, right-click the top level Defendpoint Settings node and
select Advanced Agent Settings

81 of 133
Document v.1.0
To add a new setting:
1. Select either 32-bit Agent Values if you want to configure a 32-bit registry setting, or 64-bit Agent Values
for a 64-bit registry setting.
2. Click Add Value. A new line is added to the advanced agent settings list.
3. Double-click the Value Name for the new setting, and enter the value name.
4. Choose the correct Type, either DWORD, String or Multi-String.
5. Double-click the Value Data for the new setting, and enter the value data. For DWORD values, you can
toggle the display type between Hexadecimal and Decimal.
6. Click OK when finished.
Each advanced agent setting adheres to Group Policy precedence rules. If advanced agent settings are
configured in multiple Group Policies, then the Group Policy with the highest precedence will be applied
(except for multi-string settings, which will be merged and consolidated by the Defendpoint Client).
Advanced Agent Settings should only be used when instructed to do so by Avecto Support.

82 of 133
Document v.1.0
Chapter 15 - Exporting and Importing
Defendpoint Settings
15.1 - Exporting and Importing Settings
The Defendpoint Settings can be exported to an XML file and imported back into the console.
This may be used to back up Defendpoint Settings or to distribute them using an XML file, as opposed to using
Group Policy.
To export the Defendpoint Settings to an XML file:

2. Right-click and select Export Defendpoint Settings.
To import the Defendpoint Settings from an XML file:

2. Right-click and select Import.
3. Select the appropriate XML file.
4. When prompted, either click Yes to merge the imported settings into the current settings or No to overwrite
the current settings.

83 of 133
Document v.1.0
Chapter 16 - Deleting Defendpoint
Settings
To delete Defendpoint Settings from a GPO (Group Policy Object ):
1. Select the Defendpoint Settings node for either the Computer Configuration or User Configuration
section, as appropriate.
2. On the Group Policy Management Editor Action menu, click Delete Defendpoint Settings.
3. When prompted for confirmation, click Yes to delete the Defendpoint Settings.
16.1 - Deleting Items and Conflict Resolution

Some items within the Defendpoint Settings are referenced in other areas, such as application groups, messages
and custom tokens. These items can be deleted at any time, and if they are not being referenced elsewhere, they
delete without any further action required.
When an item is deleted, the Defendpoint Policy Editor will check for any conflicts which may need to be resolved.
If the item being deleted is already in use elsewhere in your settings, then a conflict will be reported which will need
to be resolved.
You can review each detected conflict and observe the automatic resolution which will take place if you proceed. If
more than one conflict is reported, use the Next conflict and Previous conflict links to move between conflicts.
If you want to proceed, click Resolve All to remove the item from the areas of your Defendpoint Settings where it
is currently in use.

84 of 133
Document v.1.0
Chapter 17 - HTML View and Report
The Defendpoint Settings may be viewed as an HTML report, which follows the same style as the GPMC reports.
To show the HTML view:

2. Right-click and select View > HTML Report.
Defendpoint uses the same style as the GPMC for its HTML reports. You can expand and collapse the various
sections of the HTML report to show or hide more detailed information.
To return to the Workstyle Editor view:

2. Right-click and select View > Workstyles Editor.
You may also save the HTML report to a file (the HTML view does not have to be displayed to save the HTML
report).
To save a HTML Report:

2. Right-click and click Save Report.
3. Enter a filename for the report and click Save.
When displaying RSoP (Resultant Set of Policy) results the Defendpoint Settings Policy Editor will default to
HTML view, but a read-only Workstyles Editor view may also be displayed.

85 of 133
Document v.1.0
Chapter 18 - Deploying Defendpoint
Settings
18.1 - Group Policy Management
18.1.1 - Creating Defendpoint Settings
Defendpoint is implemented as an extension to Group Policy, enabling policy settings to be managed through the
standard Group Policy management tools. Defendpoint also supports AGPM (Advanced Group Policy
Management ) from versions 2.5 to 4.0.
GPOs (Group Policy Objects ) are usually managed through the GPMC (Group Policy Management Console ).
GPMC is a scriptable MMC (Microsoft Management Console) snap-in, providing a single administrative tool for
managing Group Policy across the enterprise. GPMC is the standard tool for managing Group Policy.
Defendpoint also supports Local Computer Policy, which can be edited in the Group Policy Editor, but this is only
recommended for small environments or for test purposes.
You may add Defendpoint Settings to existing GPOs or create new GPOs for this purpose.

86 of 133
Document v.1.0
To edit a GPO from the GPMC:
1. Launch the GPMC (gpmc.msc).
2. In the GPMC tree, double-click Group Policy Objects in the forest and domain containing the GPO that
you want to edit.
3. Right-click the GPO and click Edit.
The Group Policy Management Editor appears. Defendpoint Settings are available in both the Computer
Configuration and User Configuration nodes, which allow you to set either computer or user settings
respectively. Computer settings are updated when a computer starts up, whereas user settings are updated when
a user logs on. In addition, a background refresh occurs every 90 minutes by default, which will update settings
while the user is logged on.
Once a client has updated its Defendpoint Settings through Group Policy then the settings are applied dynamically.
Any logged on users do not need to log off for the changes to take effect.
Defendpoint Settings will either appear directly under the Computer Configuration and User
Configuration nodes, or under the Policies sub-node, if it exists.
To create Defendpoint settings for a GPO:

1. In the Group Policy Management Editor select the Defendpoint Settings node for either the Computer
Configuration or User Configuration section, as appropriate.
2. On the Group Policy Management Editor Action menu, click Create Defendpoint Settings.
3. Right-click the Workstyles node and select Create Workstyle. Choose a controlling or a blank workstyle.
Click Finish to create a workstyle based on your selection.
For information about workstyles, please see Workstyles detailed on page 29.

87 of 133
Document v.1.0
18.1.2 - Defendpoint Settings Scope
When deploying Defendpoint settings with Active Directory Group Policy there are two factors to consider; the
management scope of the GPO you have selected and the user or group accounts listed on the account filter
section of a Defendpoint workstyle.
When you create a new Defendpoint workstyle you are given the option of applying a filter that will either target
Standard users only or Everyone, including administrators.
Subsequently, you can further refine a sub-set of users that the workstyle will target by adding account filters.
These are defined on the Filters tab of a workstyle where you add groups and users (either domain or local) to the
filter. Do not leave the account filters empty or the workstyle will still apply to everyone.
Multiple account filters can be added to a workstyle, if you need add ‘AND’ logic to your filtering. For example, if
you want to target a user who is a member of ‘GroupA’ AND ‘GroupB’, then add two account filters to an account
filter, and select the box All items below must match.
You can also use computer filters to apply the workstyle to specific computers and connecting client devices.
These can be used in combination with account filters to provide more specific targeting of user / computer
combinations if required.
See Filtering Workstyles detailed on page 34 for more information.
18.1.3 - GPO Precedence and Inheritance Rules

Defendpoint Settings are associated with an Active Directory GPO and are distributed to all the computers and
users under the management scope of the GPO. As a result Defendpoint Settings are subject to the same Group
Policy processing and precedence rules as standard Active Directory GPOs.
18.1.4 - Order of Processing

Group Policy settings are processed in the following order:
1. Local Group Policy Object – Each computer has exactly one GPO that is stored locally. This applies to
both computer and user Group Policy processing.
2. Site – Any GPOs that have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab
for the site in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest
precedence.
3. Domain – Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the
Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is
processed last, and therefore has the highest precedence.
4. Organizational Units – GPOs that are linked to the organizational unit that is highest in the Active
Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on.
Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If
several GPOs are linked to an organizational unit, their processing is in the order that is specified by the
administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the
lowest link order is processed last, and therefore has the highest precedence.

88 of 133
Document v.1.0
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which
the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there
are conflicts.
Defendpoint merges settings so that settings with a higher precedence will be processed first. Once an application
matches a Defendpoint workstyle, no further workstyles will be processed for that application, so it is important to
keep this in mind when multiple GPOs are applied.
18.1.5 - Exceptions to Default Order of Processing

The default order for processing settings is subject to the following exceptions:
l A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.
l A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By
default, neither user settings nor computer settings are disabled on a GPO.
l An organizational unit or a domain may have a Block Inheritance set. By default, Block Inheritance is not
set.
For information about the above modifications to default behavior, see Managing inheritance of Group Policy.
A computer that is a member of a workgroup processes only the local GPO.
18.1.6 - Defendpoint Settings Storage and Backup

Defendpoint stores its settings within Active Directory’s SYSVOL folder, within the storage area for the relevant
GPOs, which are identified by their GUIDs. The settings are stored in an XML file and Active Directory is then used
as the distribution mechanism.
Defendpoint Settings can be backed up by one of the following methods:
1. Defendpoint Settings files will be backed up as part of a standard ‘System State’ backup, which
organizations should be performing as part of their standard backup routines.
2. Perform a manual backup of a GPO from with the GPMC, which will back up the GPO settings and
Defendpoint’s XML files.
3. In addition, Defendpoint Settings may be manually exported and saved to a location of your choice. For
more information on how to perform an export/import of policies see Exporting and Importing
Defendpoint Settings detailed on page 83.
18.1.7 - Disconnected Users

Disconnected users are fully supported by Defendpoint. When receiving its settings from a GPO, Defendpoint
automatically caches all the information required to work offline, so the settings will still be applied if the client is
not connected to the corporate network. Of course, any changes made to the policy will not propagate to the
disconnected computer until it reconnects to the domain and receives a Group Policy refresh. This behavior is
identical to most of the standard Microsoft Group Policy settings.
Defendpoint also supports a completely standalone configuration mode, where the settings are configured via a
Local Group Policy for that machine, or deployed in a standalone XML configuration file. Again, these settings
contain all of the information required to apply these policies offline.

89 of 133
Document v.1.0
18.2 - Standalone Management
Although Defendpoint is implemented as a Group Policy extension, it also supports a standalone mode, which is
independent of Group Policy.
Standalone mode allows you to deploy the Defendpoint Settings with an XML file. You will need to employ a
suitable deployment mechanism to distribute the XML file to your client computers.
To run the Defendpoint Policy Editor in standalone mode:
1. Launch mmc.exe.
2. Select Add/Remove Snap-in from the File menu.
3. Select Defendpoint Settings from the available snap-ins and click Add.
4. Click OK.
The Defendpoint Policy Editor is now running in standalone mode and is not connected to a Group Policy Object
(GPO).
On Windows 7 onwards, the Defendpoint Settings will be saved to the following local XML file:
%ALLUSERSPROFILE%\Avecto\Privilege Guard\PrivilegeGuardConfig.xml
If you installed the Defendpoint Client when you installed the Defendpoint Policy Editor then the client will
automatically apply the policies in this XML file. For this reason, it is strongly recommended that you do not install
the client if you will be using the policy editor in standalone mode, unless you want the settings to be applied to your
management computer. This may be case if you are evaluating Defendpoint .
The Defendpoint settings are edited in the same way as when editing GPO based policies. To distribute the XML
file to multiple clients you will need to export the policies to an XML file and then deploy it to the location specified
above. The Defendpoint Client monitors this directory and will automatically load the XML file.
You must name the settings file PrivilegeGuardConfig.xml once it is deployed, otherwise the Defendpoint Client
will not load the settings. If you make changes to the Defendpoint settings, redeploy the modified XML file and the
Defendpoint Client will automatically reload the settings.
18.3 - PowerShell Management

The Avecto Defendpoint PowerShell API enables administrators to configure Defendpoint using PowerShell
scripts. This enables integrations with external systems, and provides an alternative to using the Avecto
management consoles.
Through the PowerShell API, you can create and modify any Defendpoint configuration within Domain Group
Policy, Local Group Policy, or any local configuration. The PowerShell API is available on any computer where the
Defendpoint Policy Editor or Defendpoint Client is installed.
For information on scripting Defendpoint configurations, refer to the Avecto Defendpoint PowerShell API
document and the accompanying help file PowerShell API.chm. Both of these documents are installed with the
Defendpoint Policy Editor, under C:\Program Files\Avecto\Privilege Guard Management Consoles\PowerShell\.

90 of 133
Document v.1.0
18.3.1 - Windows PowerShell Execution Policy
The PowerShell cmdlet Set-ExecutionPolicy must be set to AllSigned before running any Defendpoint
cmdlets/scripts.
The default PowerShell execution policy is Restricted which stops any scripts running. Setting the execution
policy to AllSigned enables scripts to be run as long as they are signed, as Defendpoint scripts are.
l AllSigned – Requires that all scripts and configuration files be signed by a trusted publisher, including
scripts that you write on the local computer.
Set-ExecutionPolicy AllSigned
This article shows how to configure the setting using Group Policy: http://technet.microsoft.com/en-
us/library/hh849812.aspx
18.3.2 - Executing PowerShell Configurations

PowerShell scripts and commands which use the Get-DefendpointSettings, Set-DefendpointSettings and Get-
DefendpointFileInformation cmdlets must be executed with admin rights on the target computer. If you are
elevating scripts and commands via the Defendpoint Remote PowerShell Management feature, you must ensure
that an Add Administrator Rights Custom Token has been assigned which includes the following Groups
settings:
l Enable anti-tamper protection check box as been cleared.

l Make sure the users is always the token owner check box has been selected.
When using PowerShell Management to apply changes to Defendpoint configurations stored in Active Directory
Group Policy, you will require domain level write access to the Group Policy Object.
Configurations created and edited via PowerShell are not backwards compatible with older Defendpoint /
Privilege Guard Clients, so we recommend that only configurations targeting version 4.0 Clients are
managed through PowerShell scripting.
18.4 - Webserver Management

18.4.1 - Deploying Workstyles via Web Services
For instances where Active Directory Group Policy is not suitable, such as for clients outside of the corporate
network, Defendpoint configurations may be hosted on a webserver via HTTP or HTTPS. The Defendpoint Client
can be configured to download configurations on a schedule.
Webserver configurations should be implemented as a complement to other configuration deployment

methods. Workstyle precedence can be customized so that webserver configurations are evaluated with the
correct priority. See Workstyle Precedence detailed on page 31 for more information.
To create an XML configuration for deployment from a webserver, see Exporting and Importing Defendpoint
Settings detailed on page 83. Defendpoint Clients may be configured to pull an XML configuration from a
webserver during the installation of the Client MSI or EXE, or for existing installations, can be configured via the
Windows Registry.

91 of 133
Document v.1.0
18.4.2 - Webserver Enabled Client Installation
To install the Defendpoint Client with webserver configurations enabled, there are several command line
arguments which can be used to configure the following settings:
Argument Description
WEBSERVERMODE= Enables webserver functionality (Required, 1 = Enabled)
WSP_URL= Specifies the full URL (including XML filename) to the webserver
configuration (required)
WSP_INTERVAL= Refresh interval for new configuration check in minutes (optional,
default 90 minutes)
WSP_LOGON= Check for new configuration at user logon (optional, default 1 =
Enabled)
WSP_CERT= The Common Name for a webserver certificate. When added, restricts
webserver downloads only if the common name matches the
webserver certificate, and the certificate is valid.
DOWNLOADAUDITMODE= Specifies the level of auditing for attempts to download webserver
configurations; 0 = No auditing, 1 = Failures only, 2 = Successes only,
3 = audit both (default)
POLICYENABLED= Specifies the policy deployment methods which are enabled. Add this
value to allow a webserver policy to be used by the Defendpoint Client:
WEBSERVER. See Deployment Methods detailed on page 94 for
more information.
Example:
Msiexec.exe /i DefendpointClient_x86.msi /qn /norestart WEBSERVERMODE=1 WSP_

URL=”http://MyWebServer.Internal/WebConfig.xml” WSP_INTERVAL=90
POLICYPRECEDENCE=”WEBSERVER,GPO,LOCAL”
DefendpointClient_x86.exe /s /v” WEBSERVERMODE=1 WSP_

URL=\”http://MyWebServer.Internal/WebConfig.xml\” WSP_INTERVAL=90
POLICYPRECEDENCE=\”WEBSERVER,GPO,LOCAL\””

92 of 133
Document v.1.0
18.4.3 - Enabling Webserver Policy Download via the Registry
At any time after the Defendpoint Client has been installed, webserver configuration may be set via the Windows
registry. The following registry entries are valid:
HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client\
Value Data Data

WebServerPolicyUrl REG_SZ Specifies the full URL (including xml filename) to the
webserver configuration (Required)
WebServerPolicyRefreshIntervalMins DWORD Refresh interval for new configuration check in minutes
(Optional, default 90 minutes)
WebServerPolicyRefreshAtUserLogon DWORD Check for new configuration at user logon (Optional, default
1 = Enabled)
WebServerCertificateDisplayName REG_SZ The Common Name for a webserver certificate. When
added, restricts webserver downloads only if the common
name matches the webserver certificate, and the certificate
is valid.
DownloadAuditMode DWORD Specifies the level of auditing for attempts to download
webserver configurations (0 = No auditing, 1 = Failures
only, 2 = Successes only, 3 = audit both (default))
PolicyEnabled REG_SZ Specifies the policy deployment methods which are
enabled. Add this value allow a webserver policy to be used
by the Defendpoint Client: WEBSERVER See
Deployment Methods detailed on the next page for more
information.
18.5 - Configuration Precedence

Defendpoint supports a variety of deployment methods, and can accept multiple simultaneous configurations from
any combination of the following:
l Group Policy – Configurations that are stored in Group Policy Objects, configured via GPMC (Active
Directory Group Policy) and GPEdit (Local Group Policy). Group Policy based configurations are evaluated
according to GPO precedence rules.
l Local Policy – A standalone configuration, which is stored locally, configured via MMC.
l Webserver Policy – A configuration located on a web server, accessible via HTTP(s) or FTP.
l McAfee ePO Policy – A configuration that is stored within McAfee ePO, configured via the ePO policy
catalog.
Defendpoint uses a logical precedence to evaluate each configuration for matching rules. By default the client will
apply the following precedence:
ePO Policy > Webserver Policy > Group Policy > Local Policy
Configuration precedence settings can be configured either as part of the client installation, or via the Windows
Registry once the client has been installed.

93 of 133
Document v.1.0
To modify configuration precedence at client installation, use one of the following command lines to install the
Defendpoint Client with a specific configuration precedence:
msiexec /i DefendpointClient_x(XX).msi POLICYPRECEDENCE="EPO,WEBSERVER,GPO,LOCAL"
DefendpointClient_x(XX).exe /s /v“ POLICYPRECEDENCE=\"EPO,WEBSERVER,GPO,LOCAL\""
Where (XX) represents 86 or 64 in relation to the 32-bit or 64-bit installation respectively.
To modify configuration precedence via the Registry, run Regedit.exe with elevated privileges (ensuring you are
using a Defendpoint token with anti-tamper disabled) and navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client
REG_SZ PolicyPrecedence = "EPO,WEBSERVER,GPO,LOCAL"
18.6 - Deployment Methods

Certain types of deployment method may be enabled or disabled. By default, all deployment types are enabled. To
include or exclude a method of deployment from evaluation, edit the entries in the registry value below. If this key
does not already exist, then the default behavior is to include all methods:
HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client
REG_SZ PolicyEnabled = "EPO,WEBSERVER,GPO,LOCAL"
Where "EPO,WEBSERVER,GPO,LOCAL" are the available deployment methods.
Registry settings may be deployed via the Advanced Agent Settings feature. For more information, see
Advanced Configuration Settings detailed on page 77. In order to apply a configuration deployment
method via Advanced Agent Settings, the setting must be applied to a type of configuration that is already
part of the configuration precedence order. For more information, see Configuration Precedence detailed
on the previous page.

94 of 133
Document v.1.0
Chapter 19 - Auditing and Reporting
The Defendpoint Client sends events to the local application event log, dependent on the audit and privilege
monitoring settings within the Defendpoint Settings.
19.1 - Process Events

Event ID Description
0 Service Control Success
1 Service Error
2 Service Warning
10 License Error
100 Process has started with admin rights added to token.
101 Process has been started from the shell context menu with admin rights added to token.
103 Process has started with admin rights dropped from token.
104 Process has been started from the shell context menu with admin rights dropped from
token.
106 Process has started with no change to the access token (passive mode).
107 Process has been started from the shell context menu with no change to the access token
(passive mode).
109 Process has started with user’s default rights enforced.
110 Process has started from the shell context menu with user’s default rights enforced.
112 Process requires elevated rights to run.
113 Process has started with custom token applied.
114 Process has started from the shell context menu with user’s custom token applied.
116 Process execution was blocked.
118 Process started in the context of the authorizing user
119 Process started from the shell menu in the context of the authorizing user
120 Process execution was canceled by the user
150 Defendpoint handled service control start action.
151 Defendpoint handled service control stop action.
152 Defendpoint handled service control pause/resume action.
153 Defendpoint handled service control configuration action.
154 Defendpoint blocked a service control start action.
155 Defendpoint blocked a service control stop action.
156 Defendpoint blocked a service control pause/resume action.
157 Defendpoint blocked a service control configuration action.
158 Defendpoint service control action run in the context of the authorizing user.

95 of 133
Document v.1.0
159 Defendpoint service control start action canceled.
160 Defendpoint service control stop action canceled.
161 Defendpoint service control pause/resume action canceled.
162 Defendpoint service control configuration action canceled.
198 Privileged group modification blocked.
199 Process execution was blocked, the maximum number of challenge / response failures
was exceeded.
200 Config Config Load Success
201 Config Config Load Warning
202 Config Config Load Error
210 Config Config Download Success
211 Config Config Download Error
300 User User Logon
400 Service Defendpoint Service Start
401 Service Defendpoint Service Stop
600 Process Content Has Been Opened (Updated Add Admin)
601 Process Content Has Been Updated (Updated Custom)
602 Process Content Access Drop Admin (Updated Drop Admin)
603 Process Content Access Was Cancelled By The User (Updated Passive)
604 Process Content Access Was Enforced With Default Rights (Updated Default)
605 Process Content Access Was Blocked
606 Process Content Access Was Cancelled
607 Process Content Access Was Sandboxed
650 Process URL Browse
706 Process Passive Audit DLL
716 Process Block DLL
720 Process Cancel DLL Audit

96 of 133
Document v.1.0
Each process event contains the following information:
l Command line for the process
l Process ID for the process (if applicable)
l Parent process ID of the process
l Policy that applied
l Application group that contained the process
l End user reason (if applicable)
l Custom access token (if applicable)
l File hash
l Certificate (if applicable)
Each process event also contains product properties, where applicable, but these can only be viewed in the
Defendpoint Reporting Console.
19.2 - Configuration Events

10 Defendpoint not licensed for configured action.
200 Successfully loaded Defendpoint configuration (information).
201 Loaded Defendpoint configuration but encountered non-critical problem (warning).
202 Failed to load Defendpoint configuration (error).
210 Successfully downloaded Defendpoint configuration.
211 Failed to download Defendpoint configuration.
Each configuration event contains the following information:
l File Name (cached XML file)

l Configuration Source (Group Policy or Local Computer)
l Configuration Security (plain rext XML or signed XML)
l Security Information (Subject DN of Signed Certificate)
l GPO Name
l GPO display Name
l GPO Version
l GPO Active Directory Path
l GPO File System Path
l GPO Link Information

97 of 133
Document v.1.0
19.3 - Content Events
600 Content has been updated with add admin rights token.
601 Content has been updated with a custom token.
602 Content has been updated with drop admin rights token.
603 Content has been updated with passive token.
604 Content has been updated with enforce user's default rights token.
605 Content access was blocked.
606 Content access was canceled by the user.
706 A Trusted Application Protection event was passively audited.
716 A Trusted Application Protection event was blocked.
720 A Trusted Application Protection event was canceled by the user.
Each content event contains the following information:

l Content File Name
l Content File Description
l Content File Version
l Content Owner SID
l Content Owner Name
l Content Owner Domain SID
l Content Owner Domain Name
l Content Owner Domain Name NetBIOS
l Controlling Process Command Line
l Controlling Process ID
19.4 - Auditing with Custom Scripts

When an application is allowed, elevated or blocked, Defendpoint will log an event to the application event log to
record details of the action. If you want to record the action in a bespoke or third-party tracking system that
supports PowerShell, VBScript or JScript based submissions, you can use the Run a Script setting within an
application rule.

98 of 133
Document v.1.0
To add a new auditing script:
1. Create a new or edit an existing Application Rule within a workstyle.
2. In Run a Script, click on the Off value and in the drop-down menu, select Manage Scripts to open the
Script Manager.
3. In the Script Manager, click New in the left-hand tree view. A new script will be added to the tree. Click the
name ‘New Script’ once to rename the script.
4. In the right-hand script editor, enter your script code either manually, by copy/paste, or you can import a
script from file by clicking Import.
5. In the Script Language drop-down menu, select either PowerShell, VB Script or Javascript depending on
the code format you have entered.
PowerShell audit scripts can only be run in the System context.
6. Select a Timeout for how long the script will be allowed to execute, before it is terminated. By default, this
will be set to Infinite.
7. Select whether the script should be executed in the System context or the current User context from the
Script Context drop-down menu.
8. Click OK to finish.
The new script will automatically be selected in the Run a Script setting.
If you have any existing scripts, these can be selected in the drop-down menu.

99 of 133
Document v.1.0
The auditing script supports the use of parameters within the script. Parameters are expanded using the COM
interface PGScript. For example:
strUserName = PGScript.GetParameter(“[PG_USER_NAME]”)
strCommandLine = PGScript.GetParameter(“[PG_PROG_CMD_LINE]”)
strAgentVersion = PGScript.GetParameter(“[PG_AGENT_VERSION]”)
For a list of available parameters, see the Workstyle Parameters detailed on page 123.
Scripts created in the script editor can be reused in multiple application rules and on-demand application
rules. Any modification to an existing script will affect all workstyle rules that have been configured to
execute that script.
19.5 - Defendpoint Reporting Console

The Reporting Console is an MMC snap-in and may connect to the local computer or a remote computer. The
Reporting Console enables you to view Defendpoint events and privilege monitoring logs for the relevant computer.
To run the Defendpoint Reporting Console:

1. Launch mmc.exe.
3. Select Defendpoint Reporting from the available snap-ins and click Add.
Before the snap-in is added you will be prompted to select a computer to manage. The local computer will be
selected by default. To connect to a remote computer select the Another computer option button and enter
the name of the remote computer or click the Browse button to browse for a computer. Defendpoint
supports connection to a central event collector if you are using event forwarding to centralize events to a
server.
You may also select an alternative location for the privilege monitoring logs, if you have a scripted solution in
place to centralize the privilege monitoring logs to a server. Enter the network location or click the Browse
button to browse to the location.
4. Click Finish.
5. Click OK.

100 of 133
Document v.1.0
You can add multiple instances of the Defendpoint Reporting snap-in and connect them to different
computers.
19.5.1 - Auditing Report

The Auditing Report lists all the Defendpoint events that have been logged at that computer.
For each event the following information is available:

l Date
l Event ID
l Filename (Codebase for ActiveX controls)
l Command Line
l Event Description
l Username
l Computer Name
l Policy
l Application Group
l Reason
l Custom Token
l Hash (CLSID for ActiveX controls)
l Certificate
l PID
l Parent PID
l Trusted Application Name
l Trusted Application Version
By default, the report will show all Defendpoint events from the event log, but you can filter the report on date, event
number, username and computer name. Click Update Report to reload the report.

101 of 133
Document v.1.0
The application definitions that are contained within each event may be copied and then pasted into application
groups in the Defendpoint Policy Editor. Select one or more events and then select Copy from the context menu.
You can now paste the applications into an application group.
19.5.2 - Privilege Monitoring Report

Application View
The application view shows a list of all applications that have been monitored. Applications are identified by their
file hash.
For each application the following information is available:

l Filename/Codebase
l Type
l Instances
l Description
l Certificate
l Hash (CLSID for ActiveX controls)
l Version (ActiveX controls only)
The instances column shows the number of times the application has been run. To view the individual instances for
an application, double-click the entry in the list or select Show Details from the context menu. The Process View
appears.
By default, the report will show all the monitored applications, but you may filter the report on date, username and
computer name. Click Update Report to reload the report.
Process View
The process view shows a list of the individual processes that have been monitored for an application.
For each process the following information is available:

l Date
l PID
l Command Line
l Filename
To view the activity for a process, double-click the entry in the list or select Show Details from the context menu.
The Activity View appears.

102 of 133
Document v.1.0
Activity View
The activity view shows a list of all the privileged activity that has been carried out by a process. Privileged activity
is any activity that would have failed under a standard user account.
For each activity entry the following information is available:
l Date
l Operation
l Object
l Parameters
To go back to the process view double-click the “back up” entry in the list or select Back Up from the context
menu. The Process View appears.
19.5.3 - Diagnosing Connection Problems

The Defendpoint Reporting Console needs to connect to the registry and administrator file shares when connecting
to a remote computer.
If the Reporting Console fails to connect or fails to retrieve data then the most common causes are:
1. The Remote Registry service needs to be started on the remote machine. On Windows 7 this service is not
set to start automatically, so you should ensure that it has been started.
2. The Windows Firewall may be blocking the incoming requests. Enabling the File and Printer Sharing
exception in the Windows Firewall Settings should resolve this problem.
19.6 - Defendpoint Activity Viewer

The Defendpoint Activity Viewer is an advanced diagnostics tool designed to help identify improvements in
Defendpoint workstyles. It allows IT administrators to remotely connect to any Defendpoint Client on the network
and view all recent activity on the desktop.
The Activity Viewer will collect a complete audit of every application that was run on the desktop, and provide a
detailed summary of how the Defendpoint Client interacted with those applications, what actions it applied, and the
rules that it used to determine that action.
The activity is displayed in a rich, detailed, yet simple to use interface that provides every snippet of information
required to better understand the workstyles deployed to endpoints, how they affect the applications being run, and
rapidly identify unexpected outcomes.
For more information and help with using the Defendpoint Activity Viewer, refer to the Activity Viewer Help from
within the Activity Viewer Management Console.

103 of 133
Document v.1.0
Chapter 20 - Defendpoint Client
20.1 - Installing the Defendpoint Client
The Defendpoint Client may be installed independently from the Defendpoint Console. This is the recommended
approach for any computers that do not require the management console to be installed.
The Defendpoint Client requires that short file name creation is enabled. For more information, refer to:
http://technet.microsoft.com/en-us/library/cc778996(v=ws.10).aspx
20.1.1 - Client Packages

To install the Defendpoint Client, run the appropriate installation package:
l For 32-bit (x86) systems run DefendpointClient_x86.exe

l For 64-bit (x64) systems run DefendpointClient_x64.exe
The installation will detect if any prerequisites are needed. Click Install to install any missing pre-requisites. This
may take a few minutes.
The client may be installed manually, but for larger installations it is recommended you use a suitable third party
software deployment system.
There is no license to add during the client installation, as this is deployed with the Defendpoint workstyles,
so the client may be installed silently.
20.1.2 - Unattended Client Deployment

When deploying the Defendpoint Client with automated deployment technologies, such as System Center
Configuration Manager (SCCM), it usually makes sense to deploy the client silently and postpone the computer
from restarting.
To install the client executable silently, without a reboot, use the following command line (the double quotes are
required and the syntax must be copied exactly):
DefendpointClient_x86.exe /s /v" /qn /norestart"
To install the client MSI package silently, without a reboot, use the following command line (double quotes are not
required but the syntax must be copied exactly):
Msiexec.exe /i DefendpointClient_x86.msi /qn /norestart
Defendpoint will not be fully operationally until a reboot is performed. To perform an unattended deployment
with a reboot omit the ‘/norestart’ switch.

104 of 133
Document v.1.0
20.1.3 - Defendpoint Client Certificate Mode
For details on installing the Defendpoint Client in Certificate Mode, please see Defendpoint Client Certificate
Mode detailed above.
For information on working with Signed Defendpoint Settings, please see Signing Defendpoint Settings with
Certificates detailed on page 118.
20.2 - Avecto End User Utilities

Defendpoint includes three end user utilities to enable users to manage advanced network adapter settings, printer
settings, and software installations, as many of these capabilities would usually be hosted in the explorer shell,
making it difficult to give these tasks elevated rights.
20.2.1 - Avecto Network Adapter Manager

The network adapter manager presents the network adapters to the end user in a familiar format.
From this utility a user can modify the properties of a network adapter, rename an adapter or disable an adapter.
In order to make the network adapter manager available to a user you must perform the following steps:
1. Add the Avecto Network Adapter Utility to the Defendpoint Settings and assign Admin Rights to this
application for the relevant users (the utility is included in the Application Templates).
2. Create a shortcut on the users’ desktop to the network adapter manager, PGNetworkAdapterUtil.exe,
which can be found in the Defendpoint Client installation directory (usually C:\Program
Files\Avecto\Privilege Guard Client).

105 of 133
Document v.1.0
20.2.2 - Avecto Printer Manager
The printer manager utility presents the printers to the end user in a familiar format.
From this utility a user can add and delete printers, set their default printer, access printer properties and
preferences, view the printer queue, access print server properties, and print a test page.
In order to make the printer manager available to a user you must perform the following steps:
1. Add the Avecto Printer Management Utility to the Defendpoint Settings and assign Admin Rights to
this application for the relevant users (the utility is included in the Application Templates).
2. Create a shortcut on the user’s desktop to the printer manager, PGPrinterUtil.exe, which can be found in
the Privilege Guard client installation directory (usually C:\Program Files\Avecto\Privilege
Guard Client).

106 of 133
Document v.1.0
20.2.3 - Avecto Programs and Features Manager
The programs and features manager presents the installed software to the end user in a familiar format.
From this utility a user can uninstall, change, and repair software that is installed on their computer.
In order to make the programs and features manager available to a user you must perform the following steps:
1. Add the Avecto Programs and Features Manager to the Defendpoint Settings and assign Admin
Rights to this application for the relevant users (the utility is included in the Application Templates).
2. Create a shortcut on the users desktop to the programs and features manager, PGProgramsUtil.exe,
which can be found in the Defendpoint Client installation directory (usually C:\Program
Files\Avecto\Privilege Guard Client).
By default, the PGProgramsUtil will not display Windows Updates. To enable the option to show updates (via a
toggle button), use the following command line switch:
PGProgramsUtil.exe /showupdates

107 of 133
Document v.1.0
Chapter 21 - Troubleshooting
21.1 - Resultant Set of Policy
Defendpoint provides full support for RSoP (Resultant Set of Policy). Resultant Set of Policy is usually accessed
through the GPMC (Group Policy Management Console).
The GPMC supports two modes of operation for RSoP:
l Group Policy Modelling (RSoP planning mode)

l Group Policy Results (RSoP logging mode)
RSoP can be used to establish which policy applies to a particular user or computer to aid troubleshooting. Detailed
HTML reports are generated, which may also be exported to aid policy documentation.
21.1.1 - Group Policy Modelling

To run a Group Policy Modelling query (RSoP planning), perform the following steps from the Group Policy
Management Console (GPMC):
1. Double-click the forest in which you want to create a Group Policy Modelling query.
2. Right-click Group Policy Modelling and click Group Policy Modelling wizard.
3. In the Group Policy Modelling wizard click Next and enter the appropriate information.
4. After completing the wizard, click Finish.
5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the
Resultant Set of Policy window.
6. Select the Defendpoint Settings node under the Computer Configuration or User Configuration node
to view the RSoP HTML report for Defendpoint.
Defendpoint also appears in the Summary tab of the Group Policy Modeling node. Expand the Component
Status section of the HTML report to find out whether RSoP data has been collected for Defendpoint.
Defendpoint does not appear in the Settings tab of the Group Policy Modeling node, as third-party Group Policy
extensions are not detailed in this HTML report. You must use the Advanced View, as outlined above, to view
Defendpoint workstyles for an RSoP query.
21.1.2 - Group Policy Results

To run a Group Policy Results query (RSoP logging), perform the following steps from the GPMC:
1. Double-click the forest in which you want to create a Group Policy Results query.
2. Right-click Group Policy Results and click Group Policy Results wizard.
3. In the Group Policy Results wizard click Next and enter the appropriate information.
4. After completing the wizard, click Finish.
5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the
Resultant Set of Policy window.
6. Select the Defendpoint Settings node under the Computer Configuration or User Configuration node to
view the RSoP HTML report for Defendpoint .

108 of 133
Document v.1.0
Defendpoint also appears in the Summary tab of the Group Policy Results node. Expand the Component
Status section of the HTML report to find out whether RSoP data has been collected for Defendpoint .
Defendpoint does not appear in the Settings tab of the Group Policy Results node, as third-party Group Policy
extensions are not detailed in this HTML report. You must use the Advanced View, as outlined above, to view
Defendpoint workstyles for an RSoP query.
21.2 - General Troubleshooting Tips

21.2.1 - Check Defendpoint is installed and functioning
If you are having problems the first step is to check that you have installed the client and that the client is
functioning.
The easiest way to determine that the client is installed and functioning is to check for the existence of the Avecto
Defendpoint Service in the Services Management Console. Ensure that this service is both present and started.
The Defendpoint service is installed by the Defendpoint Client and should start automatically.
The Defendpoint service requires MSXML6 in order to load the Defendpoint settings, but the service will still
run even if MSXML6 is not present.
Windows 7 and Windows Server 2008 R2 already include MSXML6.
21.2.2 - Check Settings are Deployed

Assuming the Defendpoint Client is installed and functioning, the next step is to check that you have deployed
settings to the computer or user.
You can use RSoP logging mode to determine whether the computer has received settings. Assuming the RSoP
query shows that Defendpoint Settings have been applied, you should check the contents of the settings (including
licensing and workstyle precedence).
21.2.3 - Check that Defendpoint is Licensed

One of the most common reasons for Defendpoint not functioning is the omission of a valid license from the
Defendpoint Settings.If you are creating multiple GPOs, then you must ensure that the computer or user receives
at least one GPO that contains a valid license. To avoid problems, it is simpler to add a valid license to every set of
Defendpoint Settings that you create.
21.2.4 - Check Workstyle Precedence

Assuming that Defendpoint is functioning and licensed, most other problems are caused by configuration problems
or workstyle precedence problems.
Once an application matches an application group entry in the application rules or the on-demand application
rules, then processing will not continue for that application. Therefore, it is vital that you order your entries
correctly:
l If you create multiple workstyles then workstyles higher in the list have a higher precedence.
l If you have multiple rules in the application rules and the on-demand application rules sections of a
workstyle then entries higher in the list have a higher precedence.

109 of 133
Document v.1.0
Application rules are applied to applications that are launched either directly by the user or by a running process.
On-demand application rules are only applied to applications that are launched from the Defendpoint shell menu
(if enabled).
If you have multiple GPOs applying to a user and/or computer then you should ensure that GPO precedence rules
are not causing the problem. If multiple GPOs are applied to a computer or user then the Defendpoint Client will
merge the computer GPOs and user GPOs by following Group Policy precedence rules. Once merged the user
workstyles will take precedence over the computer workstyles. In other words the computer workstyles will only be
processed if an application does not match an entry in the user workstyles.
For this reason, it is highly recommended that you do not created over-complex rules that rely on the merging of
many GPOs, as this can become difficult to troubleshoot. If, however, it makes sense to split rules over multiple
GPOs, you should make use of RSoP to ensure that workstyles are being combined correctly. You must also
remember that computer and user workstyles are processed separately, with user workstyles always being
processed ahead of computer workstyles, if both exist.

110 of 133
Document v.1.0
Appendix A - Appendices
A.1 - Built-in Groups
Defendpoint includes a number of built-in groups that may be used in any application rule or content rule. They
provide a simple and convenient way of applying broad rules to applications and content, in particular when defining
‘catch-all’ rules. Built-in groups also help to simplify your configurations by reducing the amount of groups.
Group Criteria Valid Types

Any Application Matches any application that executed. Will also Executables
match any child applications. Control Panel Applets
Installer Packages
Management Consoles
Windows Scripts
PowerShell Scripts
Batch Scripts
Registry Scripts
Any Signed Application Matches any application that executed which has Executables
been signed by a publisher. Will also match any Control Panel Applets
child applications of signed applications. Installer Packages
Management Consoles
Windows Scripts
PowerShell Scripts
Any UAC Prompt Matches any application that triggers a Windows Executables
UAC prompt. Will also match any child Installer Packages
applications. COM Classes
Any Signed UAC Prompt Matches any application that triggers a Windows Executables
UAC Prompt, which has been signed by a Installer Packages
publisher. Will also match any child applications. COM Classes
A.2 - Target Definitions

Defendpoint Targets are elements that can be added to groups. Defendpoint has two types of groups: application
groups and content groups. Therefore two targets exist that can be added to these groups: applications and
content.
Target definitions are used to define exactly what constitutes a valid target. It is these definitions that a target rule
will match against. The Defendpoint Client must match every definition you configure before it will trigger a match
(the rules are combined with a logical AND).
The following list describes all of the available target definitions:

111 of 133
Document v.1.0
A.2.1 - ActiveX Codebase
When inserting ActiveX controls this is enabled by default and it is recommended that you should use this option in
most circumstances. You must enter the URL to the codebase for the ActiveX control. You can choose to match
based on the following options (wildcard characters ? and * may be used):
l Exact Match
l Starts With
l Ends With
l Contains
l Regular Expressions
Although you can enter a relative codebase name, it is strongly recommended that you enter the full URL to the
codebase, as it is more secure.
A.2.2 - ActiveX Version

If the ActiveX control you entered has a version property then you can choose Check Min Version and/or Check
Max Version and edit the respective version number fields.
A.2.3 - AppId
This option allows you to match the App ID of the COM class, which is a GUID used by Windows to set properties
for a CLSID. AppIds can be used by 1 or more CLSIDs.
The available operators are identical to the File or Folder Name definition.
If you want to reverse the outcome of this definition, to target applications which do not match the definition, then
click the definition to toggle between matches and does NOT match.
A.2.4 - Application Requires Elevation (UAC)

This option can be used to check if an executable requires elevated rights to run and would cause UAC (User
Account Control) to be triggered. This is a useful way to replace inappropriate UAC prompts with Defendpoint end
user messages to either block or prompt the user for elevation.
A.2.5 - Application Requires Elevation (UAC) (Supported on 'Install' only)

This option can be used to check if an MSI requires elevated rights to run and would cause UAC (User Account
Control) to be triggered.
A.2.6 - Avecto Zone Identifier

This options allows you to match on the Avecto Zone Identifier tag, where present. If an ADS (Alternate Data
Stream) tag is applied by the browser, we also apply an Avecto Zone Identifier tag to the file. The Avecto Zone
Identifier tag can be used as matching criteria if required.
A.2.7 - CLSID
This option allows you to match the class ID of the ActiveX control or COM class, which is a unique GUID stored
in the registry.

112 of 133
Document v.1.0
A.2.8 - COM Display Name
If the class you entered has a Display Name then it will automatically be extracted and you can choose to match
on this property. By default a substring match is attempted (Contains). Alternatively, you may choose to pattern
match based on either a wildcard match (? and *) or a Regular Expression. The available operators are identical to
File or Folder Name definition.
A.2.9 - Command Line

If the filename is not specific enough you can match the command line, by checking this option and entering the
command line to match. By default a substring match is attempted (Contains). Alternatively, you may choose to
pattern match based on either a wildcard match (? and *) or a Regular Expression. The available operators are
identical to File or Folder Name definition.
PowerShell removes double quotes from command strings prior to them being transmitted to the target.
Therefore it is not recommended that Command Line definitions include double quotes, as they will fail to
match the command.
A.2.10 - Controlling Process

This option allows you to target content based on the process (application) that will be used to open the content file.
The application must have been added to an application group. You can also define whether any parent of the
application will match the definition.
A.2.11 - Drive
This option can be used to check the type of disk drive that where the file is located. Choose from one of the
following options:
l Fixed disk – Any drive that is identified as being an internal hard disk.
l Network – Any drive that is identified as a network share.
l RAM disk – Any drive that is identified as a RAM drive.
l Any Removable Drive or Media – If you want to target any removable drive or media, but are unsure of the
specific drive type, choose this option which will match any of the removable media types below.
Alternatively, if you want to target a specific type, choose from one of the following removable media types:
l Removable Media – Any drive that is identified as removable media.
l USB – Any drive that is identified as a disk connected via USB.
l CD/DVD – Any drive that is identified as a CD or DVD drive.
l eSATA Drive – Any drive that is identified as a disk connected via eSATA.

113 of 133
Document v.1.0
A.2.12 - File or Folder Name
Applications are validated by matching the file or folder name. You can choose to match based on the following
options (wildcard characters ? and * may be used):
l Exact Match
l Starts With
l Ends With
l Contains
Although you can enter relative filenames, it is strongly recommended that you enter the full path to a file or the
COM server. Environment variables are also supported.
It is not recommended that the definition File or Folder Name does NOT Match is used in isolation for
executable types, as it will result in matching every application, including hosted types such as Installer
packages, scripts, batch files, registry files, management consoles and Control Panel applets.
When creating blocking rules for applications or content, and the File or Folder Name is used as matching
criteria against paths which exist on network shares, this should be done using the UNC network path and
not by the mapped drive letter.
A.2.13 - File Hash (SHA-1 fingerprint)

If a reference file was entered, then an SHA-1 hash of the PowerShell script will be generated. This definition
ensures that the contents or the script file (which can normally be edited by any user) remain unchanged, as
changing a single character in the script will cause the SHA-1 Hash to change.
A.2.14 - File Version

If the file, service executable or COM server you entered has a File Version property then it will automatically be
extracted and you can choose Check Min Version and/or Check Max Version and edit the respective version
number fields.
A.2.15 - Parent Process

This option can be used to check if an application’s parent process matches a specific application group. You must
create an application group for this purpose or specify an existing application group in the Parent Process group.
Setting match all parents in tree to True will traverse the complete parent/child hierarchy for the application, looking
for any matching parent process, whereas setting this option to False will only check the application’s direct parent
process.

114 of 133
Document v.1.0
A.2.16 - Product Code
If the file you entered has a Product Code then it will automatically be extracted and you can choose to check this
code.
A.2.17 - Product Description

If the file you entered has a Product Description property then it will automatically be extracted and you can choose
to match on this property. By default a substring match is attempted (Contains). Alternatively, you may choose to
pattern match based on either a wildcard match (? and *) or a Regular Expression. The available operators are
identical to the File or Folder Name definition.
A.2.18 - Product Name

If the file, COM server or service executable you entered has a Product Name property then it will automatically be
extracted and you can choose to match on this property. By default a substring match is attempted (Contains).
Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a Regular
Expression. The available operators are identical to the File or Folder Name definition.
A.2.19 - Product Version

If the file or COM server or service executable you entered has a Product Version property then it will automatically
be extracted and you can choose Check Min Version and/or Check Max Version and edit the respective version
number fields.
A.2.20 - Publisher
This option can be used to check for the existence of a valid publisher. If you have browsed for an application, then
the certificate subject name will automatically be retrieved, if the application has been signed. For Windows
system files the Windows security catalog is searched, and if a match is found then the certificate for the security
catalog is retrieved. Publisher checks are supported on Executables, Control Panel Applets, Installer Packages,
Windows Scripts and PowerShell Scripts. By default a substring match is attempted (Contains). Alternatively, you
may choose to pattern match based on either a wildcard match (? and *) or a Regular Expression. The available
operators are identical to the File or Folder Name definition.

115 of 133
Document v.1.0
A.2.21 - Service Action
This option allows you to define the actions which are allowed. Choose from:
l Service Stop – Grants permission to stop the service.

l Service Start – Grants permission to start the service.
l Service Pause / Resume – Grants permission to pause and resume the service.
l Service Configure – Grants permission to edit the properties of the service.
A.2.22 - Service Name

This option allows you to match the name of the Windows service, for example "W32Time". You may choose to
match based on the following options (wildcard characters ? and * may be used):
l Exact Match
l Starts With
l Ends With
l Contains
A.2.23 - Service Display Name

This option allows you to match the name of the Windows service, for example "W32Time". You may choose to
match based on the following options (wildcard characters ? and * may be used):
l Exact Match
l Starts With
l Ends With
l Contains
A.2.24 - Source URL

If an application was downloaded using a web browser, this option can be used to check where the application or
installer was originally downloaded from. The application is tracked by Defendpoint at the point it is downloaded, so
that if a user decided to run the application or installer at a later date, the source URL can still be verified. By default
a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a
wildcard match (? and *) or a Regular Expression. The available operators are identical to the File or Folder
Name definition.

116 of 133
Document v.1.0
A.2.25 - Trusted Ownership
This option can be used to check if an application’s file is owned by a trusted owner (the trusted owner accounts
are SYSTEM, Administrators or Trusted Installer).
A.2.26 - Upgrade Code

If the file you entered has an Upgrade Code then it will automatically be extracted and you can choose to check this
code.
A.2.27 - Windows Store Application Version

This option allows you to match the version of the Windows Store application, for example "16.4.4204.712". You
can choose Check Min Version and/or Check Max Version and edit the respective version number fields.
A.2.28 - Windows Store Package Name

This option allows you to match the name of the Windows Store application, for example
"microsoft.microsoftskydrive". You can choose to match based on the following options (wildcard characters ? and
* may be used):
l Exact Match
l Starts With
l Ends With
l Contains

117 of 133
Document v.1.0
A.2.29 - Windows Store Publisher
This option allows you to match the publisher name of the Windows Store Application, for example "Microsoft
Corporation". By default a substring match is attempted (Contains). Alternatively, you may choose to pattern
match based on either a wildcard match (? and *) or a Regular Expression. The other available operators are:
l Exact Match
l Starts With
l Ends With
l Contains
The Browse File and Browse Apps options can only be used if configuring Defendpoint Settings from a
Windows 8 client.
A.3 - Signing Defendpoint Settings with Certificates

A.3.1 - Creating a PFX file suitable for use with Defendpoint
The Defendpoint Settings console requires access to a certificate and private key in order to digitally sign XML
configuration. They must both be contained within a PFX or PKCS#12 format file, and the certificate must
specifically be designated as suitable for signing Privilege Guard XML configuration. This is done via the Enhanced
Key Usage extension when generating certificates.
This approach provides another means of ensuring that configuration cannot be created and signed by rogue users
with access to a digital signature certificate intended for a different purpose.
Avecto has defined the following OID that should be added to the Enhanced Key Usage extension:
1.2.826.0.1.6538381.1.1.1 (Avecto Privilege Guard - Configuration - XML

Configuration Signing)
The Defendpoint Settings console does not check for the existence of this key usage. The checks are
performed when verifying digital signatures in the Defendpoint service. A configuration that is signed with a
key that does not contain the specified Enhanced Key Usage extension, will always fail signature verification
checks.
The following sections provide details of two methods that can be used to generate a suitable PFX file, but it should
be possible to use any Certification Authority to produce certificates with the appropriate Enhanced Key Usage
extension.
Using Makecert to generate a suitable test PFX file
Makecert is a certificate generation tool available from Microsoft that can be used to generate certificates for
testing purposes.

118 of 133
Document v.1.0
The following makecert command line can be used to generate a certificate suitable for signing Privilege Guard
configuration:
makecert -r -pe -n "CN=PG Signed XML Configuration" -sky signature -eku

1.2.826.0.1.6538381.1.1.1 -ss my
The parameters can be changed as required. The example will generate a self-signed certificate with an exportable
private key, and adds it to the calling user’s local certificate store. The certificate must then be exported to a PFX
file along with the private key in the usual way.
The important parameter in the example is the addition of the Defendpoint Configuration Signing OID to the
Enhanced Key Usage extension (-eku 1.2.826.0.1.6538381.1.1.1)
If a self-signed certificate is used to sign the Defendpoint Settings, the certificate must be distributed to all clients
in order for a chain of trust to be established and for signature verification to be successful. See Distributing
Public Keys detailed on page 122 for more information.
A.3.2 - Using Certificate Template in a Certificate Request

Once the certificate template has been issued, the template can be used during advanced certificate requests via
the certsrv web interface, as shown below.

119 of 133
Document v.1.0
Once the certificate has been issued, it must be installed by the user before it can be exported to a PFX file in the
usual way.
The private key must be exported to the PFX file as well.
Using Microsoft Certificate Services to generate a suitable PFX file
Microsoft Certificate Services is a useful way for organizations to run their own Certification Authority. In its
enterprise editions, Certificate Services integrates with Active Directory to publish certificates and Certificate
Revocation Lists to a location that is accessible to all computers in the Active Directory domain.
Custom certificate templates can only be managed using enterprise CAs, therefore the following procedure
is only possible on Enterprise Editions of Windows 2008 R2.
A.3.3 - Creating a Defendpoint Configuration Certificate Template

The easiest way to create a certificate with the Avecto Defendpoint Configuration Signing Enhanced Key Usage
extension is to create a new certificate template. Certificate templates allow the content and format of certificates
to be defined so that users can request a certificate using a simple template rather than having to generate a
complex certificate request.
In order to create a new certificate template an existing template must be duplicated and then modified.
To create a new version 2 or 3 certificate template:

1. Open the Certificate Templates snap-in.
2. In the details pane, right-click an existing certificate that will serve as the starting point for the new
certificate, and select Duplicate Template.
3. Choose whether to duplicate the template as a Windows Server 2003–based template or a Windows Server
2008 R2–based template.
4. On the General tab, enter the Template display name and the Template name, and click OK.
5. Define any additional attributes for the newly created certificate template.
The template must then be edited in order to make it suitable for signing Defendpoint configuration. This is done by
adding the Avecto Defendpoint Configuration Signing OID as an application policy for the template.
Firstly, the Configuration Signing OID must be defined.
To define an object identifier:

2. In the details pane, right-click the certificate template you want to modify, and then click Properties.
3. On the Extensions tab, click Application Policies, and then click Edit.
4. In the Edit Application Policies Extension dialog box, click Add.
5. In Add Application Policy, ensure that the Defendpoint Configuration Signing policy that you are creating
does not exist, and then click New.
6. In the New Application Policy dialog box, provide the name and OID for the new application policy, as
shown below, and then click OK.

120 of 133
Document v.1.0
Now that the application policy has been defined, you can then associate it with the certificate template.
To associate the application policy with the certificate template:

2. In the details pane, right-click the certificate template you want to change, and then click Properties.
3. On the Extensions tab, click Application Policies, and then click Edit.
4. In Edit Application Policies Extension, click Add.
5. In Add Application Policy, click the desired application policy, and then click OK.
A.3.4 - Issuing the Defendpoint Configuration Certificate Template

Once the certificate template has been created in the Certificate Templates snap-in and has replicated to all
domain controllers in the forest, it can now be published for deployment. The final task for publishing the certificate
template is to select it for the CA (Certification Authority) to issue.
To define which certificate templates are issued by a CA:
1. In Administrative Tools, click Certification Authority.

2. In the console tree, expand CAName (where CAName is the name of your enterprise CA).
3. In the console tree, select the Certificate Templates container.
4. Right-click Certificate Templates, and then click New, Certificate Template to Issue.
5. In the Enable Certificate Templates dialog box, select the Defendpoint Configuration certificate template
that you want the CA to issue, and then click OK.
In a Windows 2000 Server–based CA, the container is named Policy Settings.

121 of 133
Document v.1.0
A.3.5 - Distributing Public Keys
In order for signature verification to be successful at every client that reads signed Defendpoint Settings, a chain of
trust must be established. For this to be done, a suitable trust point must be distributed to each client that will
receive the Defendpoint Settings. This should be done automatically when using a Microsoft enterprise CA.
Alternatively, public keys can be distributed via Group Policy, as discussed in the following TechNet article: Use
Policy to Distribute Certificates.
If you rely on third party providers for certificates, for example, not internal PKI, you will succeed by asking
for a "key signing ceremony" that will allow you to specify the certificate parameters such as custom
"extended key usage" values as described in this appendix.
A.4 - Using Defendpoint with McAfee ePO

The Defendpoint Client can optionally be configured to raise events into McAfee ePO.
A.4.1 - Prerequisites
The McAfee ePO Agent must be installed on the same machine as the Defendpoint Client.
A.4.2 - Manual Installation of Defendpoint Agent in ePO Mode

The Defendpoint Client must be installed in ePO Mode, either by selecting the McAfee ePolicy Orchestrator
Integration option when installing the Defendpoint Management Consoles, or by using a command-line option if
installing the client separately. This will install additional components required to communicate with the McAfee
ePO Agent.
To install the client MSI package silently in ePO Mode, use the following command line:
MSIEXEC.exe DefendpointClient.msi –qn EPOMODE=1
To install the client executable silently in ePO Mode, use the following command line:
DefendpointClient.exe /s /v“ /qn EPOMODE=1”
If you are deploying Defendpoint using McAfee ePO, then ePO Mode is automatically enabled.
A.4.3 - Disabling ePO Mode

Once installed in ePO Mode, the Defendpoint Agent will automatically raise events to the ePO Agent, as well as
raising events to the Application Event Log. If you wish to disable ePO mode at any time, set the following registry
key:
HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client\
DWORD “EPOMode”=0
To re-enable ePO logging, set the above DWORD value to 1.

122 of 133
Document v.1.0
A.5 - Workstyle Parameters
The Defendpoint Settings include a number of features that allow customization of text and strings that are used for
end user messaging and auditing. If you want to include properties that relate to the settings applied, the application
being used, the user or the installation of the Defendpoint Client, then parameters may be used that expand when
the text is used.
Parameters are identified as any string surrounded by [square parentheses], and if detected, the agent will attempt
to expand the parameter. If successful, the parameter will be replaced with the expanded property. If unsuccessful,
the parameter will remain part of the string. The table below shows a summary of all available parameters and
where they are supported.
[PG_ACTION] The action which the user performed from an end user message
[PG_AGENT_VERSION] The version of the Privilege Guard Client
[PG_APP_DEF] The name of the application rule that matched the application
[PG_APP_GROUP] The name of the application group that contained a matching application rule
[PG_AUTH_USER_DOMAIN] The domain of the designated user who authorized the application
[PG_AUTH_USER_NAME] The account name of the designated user who authorized the application
[PG_COM_APPID] The APPID of the COM component being run
[PG_COM_CLSID] The CLSID of the COM component being run
[PG_COM_NAME] The name of the COM component being run
[PG_COMPUTER_DOMAIN] The name of the domain that the host computer is a member of
[PG_COMPUTER_NAME] The NetBIOS name of the host computer
[PG_CONTENT_DEF] The definition name of the matching content
[PG_CONTENT_FILE_DRIVE_ The drive type of a matching content
TYPE]
[PG_CONTENT_FILE_HASH] The SHA-1 hash of a matching content
[PG_CONTENT_FILE_IE_ The Internet Zone of a matching content
ZONE]
[PG_CONTENT_FILE_NAME] The file name of a matching content
[PG_CONTENT_FILE_OWNER] The owner of a matching content
[PG_CONTENT_FILE_PATH] The full path of a matching content
[PG_CONTENT_GROUP] The group name of a matching content definition
[PG_DOWNLOAD_URL] The full URL from which an application was downloaded
[PG_DOWNLOAD_URL_ The domain from which an application was downloaded
DOMAIN]
[PG_EVENT_TIME] The date / time that the policy matched
[PG_EXEC_TYPE] The type of execution method: application rule or shell rule
[PG_GPO_DISPLAY_NAME] The display name of the GPO (Group Policy Object)
[PG_GPO_NAME] The name of the GPO that contained the matching policy

123 of 133
Document v.1.0
[PG_GPO_VERSION] The version number of the GPO that contained the matching policy
[PG_MESSAGE_NAME] The name of the custom message that was applied
[PG_MSG_CHALLENGE] The 8 digit challenge code presented to the user
[PG_MSG_RESPONSE] The 8 digit response code entered by the user
[PG_POLICY_NAME] The name of the policy
[PG_PROG_CLASSID] The ClassID of the ActiveX control
[PG_PROG_CMD_LINE] The command line of the application being run
[PG_PROG_DRIVE_TYPE] The type of drive where application is being executed
[PG_PROG_FILE_VERSION] The file version of the application being run
[PG_PROG_HASH] The SHA-1 hash of the application being run
[PG_PROG_NAME] The program name of the application
[PG_PROG_PARENT_NAME] The file name of the parent application
[PG_PROG_PARENT_PID] The process identifier of the parent of the application
[PG_PROG_PATH] The full path of the application file
[PG_PROG_PID] The process identifier of the application
[PG_PROG_PROD_VERSION] The product version of the application being run
[PG_PROG_PUBLISHER] The publisher of the application
[PG_PROG_TYPE] The type of application being run
[PG_PROG_URL] The URL of the ActiveX control
[PG_SERVICE_ACTION] The action performed on the matching service
[PG_SERVICE_DISPLAY_ The display name of the Windows service
NAME]
[PG_SERVICE_NAME] The name of the Windows service
[PG_STORE_PACKAGE_ The package name of the Windows Store App
NAME]
[PG_STORE_PUBLISHER] The package publisher of the Windows Store app
[PG_STORE_VERSION] The package version of the Windows Store app
[PG_TOKEN_NAME] The name of the built-in token or custom token that was applied
[PG_URL_ADDRESS] The full address of the matching URL
[PG_URL_DEF] The definition name of the matching URL
[PG_URL_GROUP] The URL group name of the matching URL
[PG_URL_HOST] The hostname of the matching URL
[PG_URL_IE_ZONE] The Internet Zone of the matching URL
[PG_URL_PROTOCOL] The protocol of the matching URL
[PG_USER_DISPLAY_NAME] The display name of the user
[PG_USER_DOMAIN] The name of the domain that the user is a member of

124 of 133
Document v.1.0
[PG_USER_NAME] The account name of the user
[PG_USER_REASON] The reason entered by the user
[PG_USER_SID] The SID of the user
[PG_WORKSTYLE_NAME] The name of the workstyle
A.6 - Automating the Update of Multiple GPOs

The PGUpdateGPO.exe command line utility allows you to automate the update of Defendpoint settings in
multiple computer or user GPOs (Group Policy Objects).
The PGUPdateGPO.exe utility is used as follows:
PGUpdateGPO.exe COMPUTER GPODSPath [SourceXMLFile]
PGUpdateGPO.exe USER GPODSPath [SourceXMLFile]
Where:
l GPODSPath is the LDAP path to the GPO

l SourceXMLFile is the location of the Defendpoint Settings XML file on disk
The command line below demonstrates using this utility to copy an XML file from the current directory into the
computer section of a GPO stored in Avecto.test:
PGUpdateGPO.exe COMPUTER "LDAP://avecto.test/cn={97B1DB2E-D68B-45EA-98FF-

D71F9971F44C},cn=policies,cn=system,DC=avecto,DC=test" PrivilegeGuardConfig.xml
Where:
l {97B1DB2E-D68B-45EA-98FF-D71F9971F44C} is the GUID of the GPO.
A.7 - Environment Variables

Defendpoint supports the use of the following environment variables within file path and command line application
definitions:
System Variables
l %ALLUSERSPROFILE%
l %COMMONPROGRAMFILES(x86)%
l %COMMONPROGRAMFILES%
l %PROGRAMDATA%
l %PROGRAMFILES(x86)%
l %PROGRAMFILES%
l %SYSTEMROOT%
l %SYSTEMDRIVE%
User Variables

125 of 133
Document v.1.0
l %APPDATA%
l %USERPROFILE%
l %HOMEPATH%
l %HOMESHARE%
l %LOCALAPPDATA%
l %LOGONSERVER%
To use any of the environment variables above, enter the variable, including the % characters, into a file path or
command line. The Defendpoint Client will expand the environment variable prior to attempting a file path or
command line match.
A.8 - Regular Expressions Syntax

Defendpoint can control applications at a granular level by using regular expression syntax. Defendpoint uses the
ATL regular expression library CAtlRegExp. Below is a summary of the regular expression syntax used by this
library.
Metacharacter Meaning Example

Any character All characters except the listed special characters match a single “abc” matches “abc”
except instance of themselves. To match one of these listed characters
[\^$.|?*+() use a backslash escape character (see below).
\ (backslash) Escape character: interpret the next character literally. “a\+b” matches “a+b”
. (dot) Matches any single character. “a.b” matches “aab”, “abb”
or “acb”, etc.
[ ] Indicates a character class. Matches any character inside the “[abc]” matches "a", "b", or
brackets (for example, [abc] matches "a", "b", and "c"). "c"
^ (caret) If this metacharacter occurs at the start of a character class, it “[^abc]” matches all
negates the character class. A negated character class matches characters except "a", "b",
any character except those inside the brackets (for example, [^abc] and "c"
matches all characters except "a", "b", and "c").
If ^ is at the beginning of the regular expression, it matches the

beginning of the input (for example, ^[abc] will only match input that
begins with "a", "b", or "c").
- (minus In a character class, indicates a range of characters (for example, “[0-9]” matches any of the
character) [0-9] matches any of the digits "0" through "9"). digits "0" through "9"
? Indicates that the preceding expression is optional: it matches once “ab?c” matches "ac" or
or not at all (for example, [0-9][0-9]? matches "2" and "12"). "abc"
+ Indicates that the preceding expression matches one or more times “ab+c” matches "abc" and
(for example, [0-9]+ matches "1", "13", "666", and so on). "abbc", “abbbc”, etc.
* (asterisk) Indicates that the preceding expression matches zero or more times “ab*c” matches "ac" and
"abc", “abbc”, etc.
| (vertical pipe) Alternation operator: separates two expressions, exactly one of “a|b” matches “a” or “b”
which matches.

126 of 133
Document v.1.0
Metacharacter Meaning Example
??, +?, *? Non-greedy versions of ?, +, and *. These match as little as Given the input
possible, unlike the greedy versions which match as much as "<abc><def>", <.*?>
possible. Example: given the input "<abc><def>", <.*?> matches matches "<abc>" while
"<abc>" while <.*> matches "<abc><def>". <.*> matches
"<abc><def>".
( ) Grouping operator. Example: (\d+,)*\d+ matches a list of numbers “(One)|(Two)” matches
separated by commas (such as "1" or "1,23,456"). "One" or "Two"
{ } Indicates a match group. The actual text in the input that matches
the expression inside the braces can be retrieved through the
CAtlREMatchContext object.
\ Escape character: interpret the next character literally (for example, <{.*?}>.*?</\0> matches
[0-9]+ matches one or more digits, but [0-9]\+ matches a digit "<head>Contents</head>"
followed by a plus character). Also used for abbreviations (such as
\a for any alphanumeric character; see table below).
If \ is followed by a number n, it matches the nth match group

(starting from 0). Example: <{.*?}>.*?</\0> matches
"<head>Contents</head>".
Note that in C++ string literals, two backslashes must be used:

"\\+", "\\a", "<{.*?}>.*?</\\0>".
$ At the end of a regular expression, this character matches the end of [0-9]$ matches a digit at
the input. Example: [0-9]$ matches a digit at the end of the input. the end of the input
| Alternation operator: separates two expressions, exactly one of T|the matches "The" or
which matches (for example, T|the matches "The" or "the"). "the")
! Negation operator: the expression following ! does not match the a!b matches "a" not
input. Example: a!b matches "a" not followed by "b". followed by "b"
For more information, see

http://msdn.microsoft.com/en-us/library/k3zs4axe(v=vs.71).aspx
A.9 - Example PowerShell Configurations

A.9.1 - Create New Configuration, Save to Local File
# Import both Defendpoint cmdlet module
Import-Module 'C:\Program Files\Avecto\Privilege Guard
Client\PowerShell\Avecto.Defendpoint.Cmdlets\Avecto.Defendpoint.Cmdlets.dll'
# Create a new variable containing a new Defendpoint Configuration Object
$PGConfig = New-Object Avecto.Defendpoint.Settings.Configuration
## Add License ##
# Create a new license object
$PGLicence = New-Object Avecto.Defendpoint.Settings.License
# Define license value
$PGLicence.Code = "5461E0D0-DE30-F282-7D67-A7C6-B011-2200"
# Add the License object to the local PG Config file
$PGConfig.Licenses.Add($PGLicence)

127 of 133
Document v.1.0
## Add Application Group ##
# Create an Application Group object
$AppGroup = new-object Avecto.Defendpoint.Settings.ApplicationGroup
# Define the value of the Application Group name
$AppGroup.name = "New App Group"
# Add the Application Group object to the local PG Config file
$PGConfig.ApplicationGroups.Add($AppGroup)
## Add Application ##
# Create an application object
$PGApplication = new-object Avecto.Defendpoint.Settings.Application $PGConfig
# Use the Get-DefendpointFileInformation to target Windows Calculator
$PGApplication = Get-DefendpointFileInformation -Path
C:\windows\system32\calc.exe
# Add the application to the Application group
$PGConfig.ApplicationGroups[0].Applications.AddRange($PGApplication)
## Add Message ##
# Create a new message object
$PGMessage = New-Object Avecto.Defendpoint.Settings.message $PGConfig
#Define the message Name, Description and OK action and the type of message
$PGMessage.Name = "Elevation Prompt"
$PGMessage.Description = "An elevation message"
$PGMessage.OKAction = [Avecto.Defendpoint.Settings.Message+ActionType]::Proceed
$PGMessage.Notification = 0
# Define whether the message is displayed on a secure desktop
$PGMessage.ShowOnIsolatedDesktop = 1
# Define How the message contains
$PGMessage.HeaderType =
[Avecto.Defendpoint.Settings.message+MsgHeaderType]::Default
$PGMessage.HideHeaderMessage = 0
$PGMessage.ShowLineOne = 1
$PGMessage.ShowLineTwo = 1
$PGMessage.ShowLineThree = 1
$PGMessage.ShowReferLink = 0
$PGMessage.ShowCancel = 1
$PGMessage.ShowCRInfoTip = 0
# Define whether a reason settings
$PGMessage.Reason = [Avecto.Defendpoint.Settings.message+ReasonType]::None
$PGMessage.CacheUserReasons = 0
# Define authorization settings
$PGMessage.PasswordCheck =
Avecto.Defendpoint.Settings.message+AuthenticationPolicy]::None
$PGMessage.AuthenticationType =
[Avecto.Defendpoint.Settings.message+MsgAuthenticationType]::Any
$PGMessage.RunAsAuthUser = 0
# Define Message strings
$PGMessage.MessageStrings.Caption = "This is an elevation message"
$PGMessage.MessageStrings.Header = "This is an elevation message header"
$PGMessage.MessageStrings.Body = "This is an elevation message body"
$PGMessage.MessageStrings.ReferURL = "http:\\www.bbc.co.uk"
$PGMessage.MessageStrings.ReferText = "This is an elevation message refer"
$PGMessage.MessageStrings.ProgramName = "This is a test Program Name"

128 of 133
Document v.1.0
$PGMessage.MessageStrings.ProgramPublisher = "This is a test Program Publisher"
$PGMessage.MessageStrings.PublisherUnknown = "This is a test Publisher Unknown"
$PGMessage.MessageStrings.ProgramPath = "This is a test Path"
$PGMessage.MessageStrings.ProgramPublisherNotVerifiedAppend = "This is a test
verification failure"
$PGMessage.MessageStrings.RequestReason = "This is a test Request Reason"
$PGMessage.MessageStrings.ReasonError = "This is a test Reason Error"
$PGMessage.MessageStrings.Username = "This is a test Username"
$PGMessage.MessageStrings.Password = "This is a test Password"
$PGMessage.MessageStrings.Domain = "This is a test Domain"
$PGMessage.MessageStrings.InvalidCredentials = "This is a test Invalid Creds"
$PGMessage.MessageStrings.OKButton = "OK"
$PGMessage.MessageStrings.CancelButton = "Cancel"
# Add the PG Message to the PG Configuration
$PGConfig.Messages.Add($PGMessage)
## Add custom Token ##
# Create a new custom Token object
$PGToken = New-Object Avecto.Defendpoint.Settings.Token
# Define the Custom Token settings
$PGToken.Name = "Custom Token 1"
$PGToken.Description = "Custom Token 1"
$PGToken.ClearInheritedPrivileges = 0
$PGToken.SetAdminOwner = 1
$PGToken.EnableAntiTamper = 0
$PGToken.IntegrityLevel =
Avecto.Defendpoint.Settings.Token+IntegrityLevelType]::High
# Add the custom token to the PG Configuration
$PGConfig.Tokens.Add($PGToken)
## Add Policy ##
# Create new policy object
$PGPolicy = new-object Avecto.Defendpoint.Settings.Policy $PGConfig
# Define policy details
$PGPolicy.Disabled = 0
$PGPolicy.Name = "Policy 1"
$PGPolicy.Description = "Policy 1"
# Add the policy to the PG Configurations
$PGConfig.Policies.Add($PGPolicy)
## Add Policy Rule ##
# Create a new policy rule
$PGPolicyRule = New-Object Avecto.Defendpoint.Settings.ApplicationAssignment
PGConfig
# Define the Application rule settings
$PGPolicyRule.ApplicationGroup = $PGConfig.ApplicationGroups[0]
$PGPolicyRule.BlockExecution = 0
$PGPolicyRule.ShowMessage = 1
$PGPolicyRule.Message = $PGConfig.Messages[0]
$PGPolicyRule.TokenType =
[Avecto.Defendpoint.Settings.Assignment+TokenTypeType]::AddAdmin
$PGPolicyRule.Audit = [Avecto.Defendpoint.Settings.Assignment+AuditType]::On
$PGPolicyRule.PrivilegeMonitoring =

129 of 133
Document v.1.0
[Avecto.Defendpoint.Settings.Assignment+AuditType]::Off
$PGPolicyRule.ForwardEPO = 0
$PGConfig.Policies[0].ApplicationAssignments.Add($PGPolicyRule)
## Set the Defendpoint configuration to a local file and prompt for user
confirmation ##
Set-DefendpointSettings -SettingsObject $PGConfig -Localfile –Confirm
A.9.2 - Open Local User Policy, Modify then Save

# Import the Defendpoint cmdlet module
# Get the local file policy Defendpoint Settings
$PGConfig = Get-DefendpointSettings -LocalFile
# Disable a policy
$PGPolicy = $PGConfig.Policies[0]
$PGPolicy.Disabled = 1
$PGConfig.Policies[0] = $PGPolicy
# Remove the PG License
$TargetLicense = $PGConfig.Licenses[0]
$PGConfig.Licenses.Remove($TargetLicense)
# Update an existing application definition to match on Filehash
$UpdateApp = $PGConfig.ApplicationGroups[0].Applications[0]
$UpdateApp.CheckFileHash = 1
$PGConfig.ApplicationGroups[0].Applications[0] = $UpdateApp
# Set the Defendpoint configuration to the local file policy and prompt for
user confirmation
Set-DefendpointSettings -SettingsObject $PGConfig -LocalFile -Confirm
A.9.3 - Open Local Configuration and Save to Domain GPO

# Import the Defendpoint cmdlet module
# get the local Defendpoint configuration and set this to the domain computer
policy, ensuring the user is prompted to confirm the change
Get-DefendpointSettings -LocalFile | Set-DefendpointSettings -Domain -LDAP
"LDAP://My.Domain/CN={GUID},CN=Policies,CN=System,DC=My,DC=domain" –Confirm
A.10 - Application Templates

Defendpoint ships with some standard application templates to simplify the definition of applications that are part of
the operating system, common ActiveX controls and software updaters. The standard application templates are
split into categories:
l Avecto Utilities
l Browsers
l COM Classes for 3rd Party Software
l Com Classes for file, folder and drive operations
l COM Classes for general Windows operations

130 of 133
Document v.1.0
l COM Classes for security features and configurations
l COM Classes for software installation, uninstallation and updates
l COM Classes for network device settings, sharing options and configurations
l Common ActiveX controls
l Content Handler Untrusted
l Content Handlers
l Installers for common printer driver manufacturers
l Software updaters
l Tools and utilities for administrators and developers
l Windows 10 Default Apps
l Windows 7/8 and Windows Server 2008 R2 / 2012 / 2012 R2
l Windows 8.0 Default Apps
l Windows 8.1 Default Apps
l Windows Server 2008 R2
Each category then has a list of applications for that category. Picking an application will cause the application or
ActiveX control dialog boxes to be pre-populated with the appropriate information.
A.10.1 - Creating Custom Application Templates

On other Windows versions the application templates are stored in:
%ALLUSERSPROFILE%\Avecto\Privilege Guard Templates\
The standard application templates are stored in a single file named WindowsTasks.xml, and it is highly
recommended that you do not change these templates.
Instead, you should create your own XML template files. Application templates are a set of application groups that
have been exported from the Defendpoint Policy Editor as an XML file.
It is recommended that you create templates on a computer that is not running the Defendpoint Client, as you will
rely on Defendpoint’s standalone Policy Editor to create the application templates.
To run the Defendpoint Policy Editor in standalone mode:
1. Launch mmc.exe.
3. Select Defendpoint Settings from the available snap-ins and click Add.
4. Click OK.
The Defendpoint Policy Editor is now running in standalone mode and is not connected to a GPO (Group Policy
Object). However, it will be saving any settings locally, and these would be picked up by the client, if it was
installed.
To create a set of application templates, create some application groups and populate the application groups with
applications. The application groups will become the categories, and the applications in each application group will
be the list of applications for that category. Once you have defined your application templates, export the settings
to an XML file:

131 of 133
Document v.1.0
2. Right-click and select Export.
The XML file that you export must be saved with a prefix of Windows e.g. Windows*.xml.
To import an application template file back into the Policy Editor for editing:

2. Right-click and click Import.
3. When prompted click No to overwrite the current workstyles.
Remember to re-export your application templates once you’ve modified them.
The final step is to copy your application templates to the application templates directory on any machines where
the Policy Editor is being used to create Defendpoint Settings. The Policy Editor automatically loads all of the
application templates in the application templates directory and merges them to create a single list of categories.
A.11 - Rule Precedence

If you add more than one application rule or content rule to a workstyle then entries that are higher in the list will
have a higher precedence. Once a target matches a rule, no further rules or workstyles will be processed for that
target. If a target could match more than one workstyle or rule then it is important that you order both your
workstyles and rules correctly.
To give a rule a higher precedence within a workstyle:

1. Right-click the Rule and then click Move Up.
2. Repeat step 1 until you have the Rule positioned appropriately.
To give a rule a lower precedence, follow the procedure above, but click Move Down. You can also click Move
Top or Move Bottom to move a rule to the top or bottom of the list.
The Summary View and Detail View can be used to show information about your rules in either graphical form or
in table form.
A.12 - Trusted Application Protection Blacklist

The following list contains all of the applications that are blocked from being launched by trusted
applications when Trusted Application Protection is enabled:
l Bash
l BG Info
l Boot Configuration Data Editor
l CDB & NTSD
l CMD - Windows Command Processor
l Command Line Interface for Microsoft® Volume Shadow Copy Service
l CScript - Microsoft ® Console Based Script Host
l FSI
l FSI Any CPU

132 of 133
Document v.1.0
l IEExec
l KD & NTKD
l MSBuild
l mshta
l PSExec
l Registry Console Tool
l Regsvr
l WinDBG
l Windows PowerShell
l Windows PowerShell ISE
l WScript - Microsoft ® Windows Based Script

133 of 133
Document v.1.0

DP MMC Administration 5 1 95 0

Uploaded by

Copyright:

Available Formats

You might also like

DP MMC Administration 5 1 95 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DP MMC Administration 5 1 95 0

Uploaded by

Copyright:

Available Formats

Defendpoint Management Console

Document Date: January 2018

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Role Requirement for Admin Rights

2.1.2 - Implementing Least Privilege

Defendpoint Management Console 5.1.95.0 GA

2.2 - Defendpoint Installation

To install Defendpoint run the appropriate installation package:

l For 32-bit (x86) systems run DefendpointManagementConsoles_x86.exe

Defendpoint Management Console 5.1.95.0 GA

2.3 - Upgrading Defendpoint

Defendpoint Management Console 5.1.95.0 GA

To upgrade the Defendpoint Client manually, double-click DefendpointClient_x86.exe or DefendpointClient_

Step 2: Upgrading the Defendpoint Management Console

Step 3: Upgrading Defendpoint Settings

2.3.3 - Frequently Asked Questions

Can I install the 32-Bit Management Console on a 64-Bit endpoint?

Do I need to install the Defendpoint Client and Management Console together?

Defendpoint Management Console 5.1.95.0 GA

What distribution mechanisms do you support?

What prerequisite components are required for Defendpoint?

For the Defendpoint Management Console:

For the Defendpoint Activity Viewer:

Which operating systems are supported by Defendpoint?

Defendpoint Management Console 5.1.95.0 GA

We will now add Defendpoint as a snap-in to the console.

3.2.1 - Inserting licenses

Defendpoint Management Console 5.1.95.0 GA

3.3 - Navigating the Policy Editor

Defendpoint Management Console 5.1.95.0 GA

1. Overview – Provides a general overview of the workstyle contents.

Tabs that contain active settings cannot be toggled off.

3.3.2 - Automatic Saving

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

This template policy contains the following elements:

4.4.1 - QuickStart Policy Summary

Defendpoint Management Console 5.1.95.0 GA

The General Rules workstyle contains rules to:

The High Flexibility workstyle contains rules to:

The Medium Flexibility workstyle contains rules to:

Defendpoint Management Console 5.1.95.0 GA

Defendpoint Management Console 5.1.95.0 GA

4.4.2 - Customizing the QuickStart Policy

As a minimum you need to:

This template policy contains the following configurations:

Defendpoint Management Console 5.1.95.0 GA

4.6 - Server Roles

This template policy contains the following elements:

Defendpoint Management Console 5.1.95.0 GA