Trusted App Protection (TAP)

The Trusted App Protection (TAP) policies contain Workstyles, Application Groups, and messages to offer an additional layer of protection against malware for trusted business applications, safeguarding them from exploitation attempts.

The TAP policies apply greater protection to key business applications including Microsoft Office, Adobe Reader, and web browsers, which are often exploited by malicious content. It works by preventing these applications from launching unknown payloads and potentially risky applications, such as PowerShell. It also offers protection by preventing untrusted DLLs being loaded by these applications, another common malware technique.

In our research, we discovered that malware attack chains commonly seek to drop and launch an executable or abuse a native Windows application such as PowerShell. Using a TAP policy prevents these attacks and compliments existing anti-malware technologies by preventing an attack from launching without relying on detection or reputation.

The Trusted Application Protection policy you have chosen is inserted at the top of the Workstyles, so it is, by default, the first Workstyle to be evaluated. Once a Workstyle action is triggered, subsequent Workstyles aren't evaluated for that process.

Workstyles

  • Trusted Application Protection - High Flexibility (depends on the TAP policy you have chosen)
  • Trusted Application Protection - High Security (depends on the TAP policy you have chosen)

Application Groups

  • Browsers
  • Browsers - Trusted Exploitables
  • Browsers - Untrusted child processes
  • Content Handlers
  • Content Handlers - Trusted Exploitables
  • Content Handlers - Untrusted child processes

Content Handlers are used to hold content rather than executables.

Messages

  • Block Message

Trusted Application Protection Policies Summary

The TAP policies allow you to control the child processes which TAP applications can run.

There are two policies to choose from:

  • High Flexibility
  • High Security

You should choose the High Flexibility policy if you have users who need to download and install or update software. You should choose the High Security policy if your users don't need to download and install or update software.

The High Security policy checks that all child processes have either a trusted publisher, a trusted owner, a source URL, or a BeyondTrust Zone Identifier tag, whereas the High Flexibility policy only validates the immediate child processes allowing a wider range installers to run. If child processes don't have any of these four criteria, they are blocked from execution. Known exploits are also blocked by both TAP policies.

Installers that spawn additional child processes are blocked by the TAP (High Security) policy if those child processes are using applications that are on the TAP blocklist, but would be allowed to run using the TAP (High Flexibility) policy. For more information, see Trusted Application Protection Block List.

Trusted Publisher

  • A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date, and not revoked.

Trusted Owner

  • A trusted owner is any owner that is in the default Windows groups Administrators, SystemUser, or TrustedInstaller.

SourceURL

  • The source URL must be present. This is specific to browsers.

BeyondTrust Zone Identifier tag

  • The BeyondTrust Zone Identifier tag must be present. This is applied when the browser applies an Alternate Data Stream (ADS) tag. This is specific to browsers.

In addition, all processes on the blocklist are blocked irrespective of their publisher and owner.

The TAP policy template affects the following applications:

  • Microsoft Word
  • Microsoft Excel
  • Microsoft PowerPoint
  • Microsoft Publisher
  • Adobe Reader 11 and lower
  • Adobe Reader DC
  • Microsoft Outlook
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Microsoft Edge (Legacy and Chromium versions)

TAP applications and their child processes must match all the criteria within the definitions provided in the Application Groups of the policy for the TAP policy to apply.

You can configure TAP process control by importing the TAP template. TAP also has Reporting.

For more information, see the following:

Trusted Application Protection Precedence

The TAP Workstyle you choose is placed at the top of your list of Workstyles when you import the policy template. This is because it runs best as a priority rule. This ensures child processes of TAP applications (policy dependent) that do not have a trusted publisher, trusted owner, a source URL, or a BeyondTrust Zone Identifier tag are blocked from execution and that known exploits are blocked.

The Trusted Application Protection Workstyle is the first to be evaluated by default. Once a Workstyle action is triggered, subsequent Workstyles aren't evaluated for that process.

Modify the Trusted Application Protection Policies

Both the Trusted Application Protection (TAP) policies (High Flexibility and High Security) protect against a broad range of attack vectors. The approaches listed here can be used in either TAP policy if you need to modify the TAP policy to address a specific use case that is being blocked by a TAP policy.

The TAP (High Security) policy is, by design, more secure and less flexible, as it blocks all child processes of a Trusted Application that do not have a trusted owner, trusted publisher, source URL, or BeyondTrust Zone Identifier. It is for these reasons more likely to require modification.

The TAP policy that you choose should be based on your business requirements and existing policy. If using a TAP policy causes a legitimate use case to be blocked, there are some actions you can take to resolve this.

Change the Policy to Audit

You can change the TAP (High Security) policy Application Rules Action to Allow Execution and change the Access Token to Enforce User's Default Rights. Ensure Raise an Event is set to On and click OK.

Changing the TAP policy to Allow Execution effectively disables it. You do not get any protection from a TAP policy if you make this change.

If you make this change for the four Application Rules in the TAP (High Security) policy, TAP programs are able to execute as if the TAP (High Security) policy wasn't applied, but you can see what events are being triggered by TAP and make policy adjustments accordingly.

The event details include information on the Application Group and TAP application. This allows you to gather details to understand if it's a legitimate use case. You can perform some actions to incorporate the legitimate use case into the TAP (High Security) policy.

Use the High Flexibility Policy

Both the TAP policies offer additional protection against a wide range of attack vectors. If you are using the TAP (High Security) policy you can change to the TAP (High Flexibility) policy. This is useful if you have a use case where additional child processes of TAP applications are being blocked by the TAP (High Security) policy.

Edit the Matching Criteria

If your legitimate use case is running a specific command that is detailed in the event, you can add this to the matching criteria of the application that's being blocked. You can use the standard Endpoint Privilege Management for Windows matching criteria, such as Exact Match or Regular Expressions.

WebEx uses an extension from Google Chrome. We have catered for this in the policy using matching criteria.

This criteria says:

If the Parent Process matches the (TAP) High Security - Browsers Application Group for any parent in the tree.
and
The Product Description contains the string Windows Command Processor
and
The Command Line does NOT contain \\.\pipe\chrome.nativeMessaging

The TAP policy (High Security) blocks the process.

Edit the Trusted Exploitable List

If your legitimate use case is using an application that is listed on either the Browsers - Trusted Exploitables or the Content Handlers - Trusted Exploitables list, you can remove it.

If you remove it from either list, any browsers or content using that trusted exploitable to run malicious content are not stopped by the TAP (High Security) policy.

Remove Application from Trusted Application Group

You can remove the application that is listed in the Trusted Browsers or Trusted Content Handlers groups from the list. This means that the application no longer benefits from the protection offered by either of the TAP policies.

Create an Allow Rule

You can also add an Endpoint Privilege Management for Windows Allow rule and place it higher in the precedence order than the TAP (High Security) policy. This allows your use case to run but it also overrides any subsequent rules that apply to that application. Therefore it should be used with caution.

Trusted Application Protection Reporting

Trusted Application Protection (TAP) is reported in Reporting. You can use the top level TAP dashboard to view the TAP incidents over the time period, split by type of TAP application. In the same dashboard, you can also see the number of incidents, targets, users, and hosts for each TAP application.

Trusted Application Protection Block List

To view the list of applications blocked from being launched by trusted applications when Trusted Application Protection (TAP) is enabled:

  1. After TAP High Flexibility or High Security is imported, right-click on the top-level Privilege Management Settings node, and click Show Hidden Groups.
  2. The list of applications can be found under the following groups:
    • (TAP) High Security - Browsers - Trusted Exploitables
    • (TAP) High Security - Content Handlers - Trusted Exploitables
    • (TAP) High Flexibility - Browsers - Trusted Exploitables
    • (TAP) High Flexibility - Content Handlers - Trusted Exploitables

Use Advanced Parent Tracking

With version 21.3 of EPM-W, advanced parent tracking (APT) tracks parent processes and increases the effectiveness of TAP policies while also reducing false positives from Windows PID re-use.

When processing rules, EPM-W attempts to determine the parent of a process through APT first. Following that, EPM-W uses other rule properties (like child inheritance) to rely on the information provided by Windows.

To use the advanced parent tracking:

Use Advanced Parent Tracking to track parent processes.

  • If you are not currently using a TAP policy, import the TAP template (High Security or High Flexibility) using the latest version of the EPM-W client.
  • If you are an existing TAP policy user and the policy was created using the EPM-W Policy Editor 21.2 or earlier, then add two new rules to the bottom of your TAP workstyle (High Security or High Flexibility).

 

High Security

  • (TAP) High Security - Browsers
    • Target Application Group: (TAP) High Security - Browsers
    • Access Token: Keep Privileges - Enhanced
  • (TAP) High Security - Content Handlers
    • Target Application Group: (TAP) High Security - Content Handlers
    • Access Token:Keep Privileges - Enhanced

High Flexibility

  • (TAP) High Flexibility - Browsers
    • Target Application Group: (TAP) High Flexibility- Browsers
    • Access Token: Keep Privileges - Enhanced
  • (TAP) High Flexibility - Content Handlers
    • Target Application Group: (TAP) High Flexibility - Content Handlers
    • Access Token: Keep Privileges - Enhanced

Click Show Hidden Groups to edit workstyles.

For either of these workstyles, you will also need to remove the check from the Force standard user rights on File Open/Save dialogs for each application in these Application Groups.

Enable Show Hidden Groups to edit these workstyles.