Trusted App Protection (TAP) Template Policy Configuration
The Trusted App Protection (TAP) policies contain Workstyles, Application Groups, and Messages to offer an additional layer of protection against malware for trusted business applications, safeguarding them from exploitation attempts.
The TAP policies apply greater protection to key business applications including Microsoft Office, Adobe Reader, and web browsers, which are often exploited by malicious content. It works by preventing these applications from launching unknown payloads and potentially risky applications such as PowerShell. It also offers protection by preventing untrusted DLLs being loaded by these applications, another common malware technique.
In our research we discovered that malware attack chains commonly seek to drop and launch an executable or abuse a native Windows application such as PowerShell. Using a TAP policy prevents these attacks and compliments existing anti-malware technologies by preventing an attack from launching without relying on detection or reputation.
The Trusted Application Protection policy you have chosen is inserted at the top of the Workstyles so it is, by default, the first Workstyle to be evaluated. Once a Workstyle action has been triggered, subsequent Workstyles aren't evaluated for that process.
- Trusted Application Protection: High Flexibility (depends on the TAP policy you have chosen)
- Trusted Application Protection: High Security (depends on the TAP policy you have chosen)
- Browsers: Trusted Exploitables
- Browsers: Untrusted child processes
- Content Handlers
- Content Handlers: Trusted Exploitables
- Content Handlers: Untrusted child processes
Content Handlers are used to hold content rather than executables.
- Block Message
Trusted Application Protection Policies Summary
The TAP policies allow you to control the child processes which TAP applications can run.
There are two policies to choose from:
- High Flexibility
- High Security
You should choose the High Flexibility policy if you have users who need the ability to download and install or update software. You should choose the High Security policy if your users don't need to download and install or update software.
The High Security policy checks that all child processes either have a trusted publisher, a trusted owner, a source URL, or a BeyondTrust Zone Identifier tag, whereas the High Flexibility policy only validates the immediate child processes allowing a wider range installers to run. If child processes don't have any of these four criteria, they are blocked from execution. Known exploits are also blocked by both TAP policies.
Installers that spawn additional child processes are blocked by the TAP (High Security) policy if those child processes are using applications that are on the TAP block list, but would be allowed to run using the TAP (High Flexibility) policy.
- A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date, and not revoked.
- A trusted owner is any owner that is in the default Windows groups Administrators, SystemUser, or TrustedInstaller.
- The source URL must be present. This is specific to browsers.
BeyondTrust Zone Identifier tag
- The BeyondTrust Zone Identifier tag must be present. This is applied when the browser applies an Alternate Data Stream (ADS) tag. This is specific to browsers.
In addition, all processes on the block list are blocked irrespective of their publisher and owner.
The TAP policy template affects the following applications:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft Publisher
- Adobe Reader 11 and lower
- Adobe Reader DC
- Microsoft Outlook
- Google Chrome
- Mozilla Firefox
- Microsoft Internet Explorer
- Microsoft Edge
You can configure TAP process control by importing the TAP template. TAP also has Reporting.
TAP Applications and their child processes must match all the criteria within the definitions provided in the Application Groups of the policy for the TAP policy to apply.
For more information, please see Trusted Application Protection Block List.
Trusted Application Protection Precedence
The TAP Workstyle you choose is placed at the top of your list of Workstyles when you import the policy template. This is because it runs best as a priority rule. This ensures that child processes of TAP applications (policy dependent) that do not have a trusted publisher, trusted owner, a source URL, or a BeyondTrust Zone Identifier tag are blocked from execution and that known exploits are blocked.
The Trusted Application Protection Workstyle is the first to be evaluated by default. Once a Workstyle action has been triggered, subsequent Workstyles aren't evaluated for that process.
Modify the Trusted Application Protection Policies
Both the TAP policies (High Flexibility and High Security) protect against a broad range of attack vectors. The approaches listed here can be used in either TAP policy if you need to modify the TAP policy to address a specific use case that is being blocked by a TAP policy.
The TAP (High Security) policy is, by design, more secure and less flexible as it blocks all child processes of a Trusted Application that do not have a trusted owner, trusted publisher, source URL, or BeyondTrust Zone Identifier, so it is therefore more likely to require modification.
The TAP policy that you choose should be based on your business requirements and existing policy. If using a TAP policy causes a legitimate use case to be blocked, there are some actions you can take to resolve this.
Change the Policy to Passive and Audit
You can change the TAP (High Security) policy Application Rules Action to Allow Execution and change the Access Token to Passive (No Change). Ensure Raise an Event is set to On and click OK.
Changing the TAP policy to Allow Execution effectively disables it. You will not get any protection from a TAP policy if you make this change.
If you make this change for the four Application Rules in the TAP (High Security) policy, TAP programs can execute as if the TAP (High Security) policy is not applied, but you can see what events are being triggered by TAP and make policy adjustments accordingly.
The event details include information on the Application Group and TAP application. This allows you to gather details to understand if it's a legitimate use case. You can perform some actions to incorporate the legitimate use case into the TAP (High Security) policy.
Use the High Flexibility Policy
Both the TAP policies offer additional protection against a wide range of attack vectors. If you are using the TAP (High Security) policy you can change to the TAP (High Flexibility) policy. This is useful if you have a use case where additional child processes of TAP applications are being blocked by the TAP (High Security) policy.
Edit the Matching Criteria
If your legitimate use case is running a specific command that is detailed in the event, you can add this to the matching criteria of the application that's being blocked. You can use the standard Privilege Management
This criteria says:
If the Parent Process matches the (TAP) High Security - Browsers Application Group for any parent in the tree.
The Product Description contains the string Windows Command Processor
The Command Line does NOT contain \\.\pipe\chrome.nativeMessaging
The TAP policy (High Security) blocks the process.
Edit the Trusted Exploitable List
If your legitimate use case is using an application that is listed on either the Browsers - Trusted Exploitables or the Content Handlers - Trusted Exploitables list, you can remove it.
If you remove it from either list, any browsers or content that use that trusted exploitable to run malicious content are not stopped by the TAP (High Security) policy.
Remove Application from Trusted Application Group
You can remove the application that is listed in the Trusted Browsers or Trusted Content Handlers groups from the list. This means that the application no longer benefits from the protection offered by either of the TAP policies.
Create an Allow Rule
You can also add a Privilege Management
Trusted Application Protection Reporting
Trusted Application Protection (TAP) is reported in Privilege Management Reporting. You can use the top level TAP dashboard to view the TAP incidents over the time period, split by type of TAP application. In the same dashboard you can also see the number of incidents, targets, users, and hosts for each TAP application.
The following list contains all of the applications that are blocked from being launched by trusted applications when Trusted Application Protection (TAP) is enabled:
- BG Info
- Boot Configuration Data Editor
- CDB & NTSD
- CMD - Windows Command Processor
- Command Line Interface for Microsoft® Volume Shadow Copy Service
- CScript - Microsoft ® Console Based Script Host
- FSI Any CPU
- KD & NTKD
- Registry Console Tool
- Windows PowerShell
- Windows PowerShell ISE
- WScript - Microsoft ® Windows Based Script