Trusted App Protection (TAP)

The Trusted App Protection (TAP) policies contain Workstyles, Application Groups, and messages to offer an additional layer of protection against malware for trusted business applications, safeguarding them from exploitation attempts.

The TAP policies apply greater protection to key business applications including Microsoft Office, Adobe Reader, and web browsers, which are often exploited by malicious content. It works by preventing these applications from launching unknown payloads and potentially risky applications, such as PowerShell. It also offers protection by preventing untrusted DLLs being loaded by these applications, another common malware technique.

In our research, we discovered that malware attack chains commonly seek to drop and launch an executable or abuse a native Windows application such as PowerShell. Using a TAP policy prevents these attacks and compliments existing anti-malware technologies by preventing an attack from launching without relying on detection or reputation.

The Trusted Application Protection policy you have chosen is inserted at the top of the Workstyles, so it is, by default, the first Workstyle to be evaluated. Once a Workstyle action is triggered, subsequent Workstyles aren't evaluated for that process.

Workstyles

  • Trusted Application Protection - High Flexibility (depends on the TAP policy you have chosen)
  • Trusted Application Protection - High Security (depends on the TAP policy you have chosen)

Application Groups

  • Browsers
  • Browsers - Trusted Exploitables
  • Browsers - Untrusted child processes
  • Content Handlers
  • Content Handlers - Trusted Exploitables
  • Content Handlers - Untrusted child processes

Content Handlers are used to hold content rather than executables.

Messages

  • Block Message

Trusted Application Protection Policies Summary

The TAP policies allow you to control the child processes which TAP applications can run.

There are two policies to choose from:

  • High Flexibility
  • High Security

You should choose the High Flexibility policy if you have users who need to download and install or update software. You should choose the High Security policy if your users don't need to download and install or update software.

The High Security policy checks that all child processes have either a trusted publisher, a trusted owner, a source URL, or a BeyondTrust Zone Identifier tag, whereas the High Flexibility policy only validates the immediate child processes allowing a wider range installers to run. If child processes don't have any of these four criteria, they are blocked from execution. Known exploits are also blocked by both TAP policies.

Installers that spawn additional child processes are blocked by the TAP (High Security) policy if those child processes are using applications that are on the TAP blocklist, but would be allowed to run using the TAP (High Flexibility) policy. For more information, please see Trusted Application Protection Blocklist.

Trusted Publisher

  • A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date, and not revoked.

Trusted Owner

  • A trusted owner is any owner that is in the default Windows groups Administrators, SystemUser, or TrustedInstaller.

SourceURL

  • The source URL must be present. This is specific to browsers.

BeyondTrust Zone Identifier tag

  • The BeyondTrust Zone Identifier tag must be present. This is applied when the browser applies an Alternate Data Stream (ADS) tag. This is specific to browsers.

In addition, all processes on the blocklist are blocked irrespective of their publisher and owner.

The TAP policy template affects the following applications:

  • Microsoft Word
  • Microsoft Excel
  • Microsoft PowerPoint
  • Microsoft Publisher
  • Adobe Reader 11 and lower
  • Adobe Reader DC
  • Microsoft Outlook
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Microsoft Edge (Legacy and Chromium versions)

TAP applications and their child processes must match all the criteria within the definitions provided in the Application Groups of the policy for the TAP policy to apply.

You can configure TAP process control by importing the TAP template. TAP also has Reporting.

For more information, please see the following:

Trusted Application Protection Precedence

The TAP Workstyle you choose is placed at the top of your list of Workstyles when you import the policy template. This is because it runs best as a priority rule. This ensures child processes of TAP applications (policy dependent) that do not have a trusted publisher, trusted owner, a source URL, or a BeyondTrust Zone Identifier tag are blocked from execution and that known exploits are blocked.

The Trusted Application Protection Workstyle is the first to be evaluated by default. Once a Workstyle action is triggered, subsequent Workstyles aren't evaluated for that process.

Modify the Trusted Application Protection Policies

Both the Trusted Application Protection (TAP) policies (High Flexibility and High Security) protect against a broad range of attack vectors. The approaches listed here can be used in either TAP policy if you need to modify the TAP policy to address a specific use case that is being blocked by a TAP policy.

The TAP (High Security) policy is, by design, more secure and less flexible, as it blocks all child processes of a Trusted Application that do not have a trusted owner, trusted publisher, source URL, or BeyondTrust Zone Identifier. It is for these reasons more likely to require modification.

The TAP policy that you choose should be based on your business requirements and existing policy. If using a TAP policy causes a legitimate use case to be blocked, there are some actions you can take to resolve this.

Change the Policy to Passive and Audit

You can change the TAP (High Security) policy Application Rules Action to Allow Execution and change the Access Token to Passive (No Change). Ensure Raise an Event is set to On and click OK.

Changing the TAP policy to Allow Execution effectively disables it. You do not get any protection from a TAP policy if you make this change.

If you make this change for the four Application Rules in the TAP (High Security) policy, TAP programs are able to execute as if the TAP (High Security) policy wasn't applied, but you can see what events are being triggered by TAP and make policy adjustments accordingly.

The event details include information on the Application Group and TAP application. This allows you to gather details to understand if it's a legitimate use case. You can perform some actions to incorporate the legitimate use case into the TAP (High Security) policy.

Use the High Flexibility Policy

Both the TAP policies offer additional protection against a wide range of attack vectors. If you are using the TAP (High Security) policy you can change to the TAP (High Flexibility) policy. This is useful if you have a use case where additional child processes of TAP applications are being blocked by the TAP (High Security) policy.

Edit the Matching Criteria

If your legitimate use case is running a specific command that is detailed in the event, you can add this to the matching criteria of the application that's being blocked. You can use the standard Privilege Management for Windows matching criteria, such as Exact Match or Regular Expressions.

WebEx uses an extension from Google Chrome. We have catered for this in the policy using matching criteria.

This criteria says:

If the Parent Process matches the (TAP) High Security - Browsers Application Group for any parent in the tree.
and
The Product Description contains the string Windows Command Processor
and
The Command Line does NOT contain \\.\pipe\chrome.nativeMessaging

The TAP policy (High Security) blocks the process.

Edit the Trusted Exploitable List

If your legitimate use case is using an application that is listed on either the Browsers - Trusted Exploitables or the Content Handlers - Trusted Exploitables list, you can remove it.

If you remove it from either list, any browsers or content using that trusted exploitable to run malicious content are not stopped by the TAP (High Security) policy.

Remove Application from Trusted Application Group

You can remove the application that is listed in the Trusted Browsers or Trusted Content Handlers groups from the list. This means that the application no longer benefits from the protection offered by either of the TAP policies.

Create an Allow Rule

You can also add a Privilege Management for Windows Allow rule and place it higher in the precedence order than the TAP (High Security) policy. This allows your use case to run but it also overrides any subsequent rules that apply to that application. Therefore it should be used with caution.

Trusted Application Protection Reporting

Trusted Application Protection (TAP) is reported in Reporting. You can use the top level TAP dashboard to view the TAP incidents over the time period, split by type of TAP application. In the same dashboard, you can also see the number of incidents, targets, users, and hosts for each TAP application.

Trusted Application Protection Blocklist

The following list contains all of the applications that are blocked from being launched by trusted applications when Trusted Application Protection (TAP) is enabled:

  • Bash
  • BG Info
  • Boot Configuration Data Editor
  • CDB & NTSD
  • CMD - Windows Command Processor
  • Command Line Interface for Microsoft® Volume Shadow Copy Service
  • CScript - Microsoft ® Console Based Script Host
  • FSI
  • FSI Any CPU
  • IEExec
  • KD & NTKD
  • MSBuild
  • mshta
  • PSExec
  • Registry Console Tool
  • Regsvr
  • WinDBG
  • Windows PowerShell
  • Windows PowerShell ISE
  • WScript - Microsoft ® Windows Based Script