Application Whitelisting/Blacklisting

Zercurity uses Google Santa to white and blacklisting your applications.

Zercurity organises rules into rulesets. Rulesets are a collection of rules that can be applied to a collection of Assets.

Table view

This table gives you an overview of all the rulesets defined within your company. The first two rulesets are defined by Zercurity. These two rulesets contain all the applications and certificates Zercurity has identified for your company.

_images/santa.png
  • Name The name of the ruleset.
  • Description A description of the ruleset.
  • Rules The number of rules defined within the collection of this ruleset.
  • Created When the ruleset was created.
  • Updated When the ruleset was updated. Usually due to the ruleset name or description changing.
  • Actions These are changes that can be applied to the ruleset.
    • DELETE Removes the ruleset. Please note that rulesets are not deleted immediately. Rulesets will remain within the system for 30 days and are then deleted thereafter.

Create ruleset

Rulesets can be created using the Create Ruleset button. Which will display the following popup dialogue.

_images/santa_create.png

Ruleset view

When you’ve selected a Ruleset you’ll be able to see all of the rules that are defined within the collection. You can have as many rules as you like.

_images/santa_rules.png
  • Type The type of the rule. This will either be a; CERT (Certificate) used to sign applications. Or a SHA256 which will be the hash of a given application (binary).

  • Name The name of your rule.

  • Decision In the event the rule is triggered either by the matching SHA256 or that the application was signed by the defined certificate. You can define what happens to the application that’s trying to run:

    • BLACKLIST Block the application from running entirely and alert the user that the application was blocked from running. The user will be shown your custom message if one was defined in your rule.
    • BLACKLIST SILENT Block the application from running entirely without altering the user. The application will exit silently.
    • WHITELIST Ensure that the application or binary runs.
  • Created The date that the rule was created.

  • Actions These are changes that can be applied to the rule.
    • DELETE Removes the rule. Please note that rules are not deleted immediately. Rules will remain within the system for 30 days and are then deleted thereafter.

Created rule

Once you’ve selected a ruleset. You can then add rules by clicking the Add Rule button. Which will display the following popup dialogue.

Note

When rules are created they take up to 2 minutes to propagate to your Assets. If you’re in a rush to can run: santactl sync on the machine. You can also check the status of Google’s Santa by running: santactl status

_images/santa_rule_create.png