Skip Navigation

Application control

Application control is an optional setting for
devices that allows users to restrict any changes to executables on the device. Only applications that are on the device before application control is enabled are allowed to execute. Typically, application control is used for fixed function devices that are not changed after it's set up (for example, point-of-sale devices).
When application control is enabled, attempts to add applications and make changes to applications on the device are denied. This means that applications cannot be downloaded from web browsers or copied from another device or computer (such as an external or shared drive).
The main objectives of application control are:
  • Deny the execution of executable files from remote or external drives.
  • Deny the creation of new executables on the local drive.
  • Deny changes to existing files on the local drive.
Consider the following when using application control:
  • The
    CylancePROTECT Desktop
    agent update process is disabled when application control is enabled.
  • You cannot remove the
    CylancePROTECT Desktop
    agents when application control is enabled.
  • It is not recommended to run
    on systems that use application control. When application control is enabled,
    does not function properly due to the restrictive nature of application control.
  • All executable files on remote or external drives are denied from executing when application control is enabled. To prevent production outages or excessive network activity, application control does not monitor file transfers to remote or external drives.

Application control settings

Application Control
This setting specifies whether to enable application control. When you enable application control, the following recommended settings will be automatically applied:
  • In the
    File Actions
    tab, the
    Auto-Quarantine with Execution Control
    settings will be selected for both unsafe and abnormal files.
  • In the
    Memory Actions
    tab, the
    Memory Protection
    setting will be selected. All memory protection violation types will be set to
  • In the
    Protection Settings
    tab, the
    Watch For New Files
    setting will be selected .
If you want to change any of these settings, clear the selection from the specified tabs.
Change Window
When enabled, this setting temporarily disables application control to allow editing and running new applications or to perform updates, including updating the agent. After performing the necessary changes, clear this check box to close the change window and re-enable application control.
When you use this setting to temporarily disable application control, changes such as folder exclusions are retained. If you disable the
Application Control
setting, the settings are reset to default.
Folder Exclusions (includes subfolders)
This setting specifies an absolute path of folders that are allowed to make application changes and additions when application control is enabled. This setting applies to devices running
agent 1410 or later.
C:\Program Files\Microsoft SQL Server
Folder exclusions are only available for local internal drives. Exclusions for removable or remote drives are not supported.

Viewing application control activity

You can find the application control activity of a device from its
Device Details
page in the
Threats & Activities