Process Application Control Policy Management Guide

Overview

To implement and manage Processes Control policies effectively, you must first activate the policy. Once activated, configure allowlisting to define which processes are permitted on specific computers or computer groups. Any process not explicitly allowlisted will be automatically blocked. Optionally, end-users can receive popup notifications when applications are blocked.

1. Activating the Policy

Cybercyte agents operate based on assigned policies. To begin:Navigation: Rules & Policies → Policy Management → Windows Threat Monitoring

1.1 Enable Reporting for Unknown Processes

To identify running processes on agent-installed computers before implementing blocking:

Select "Report Unknown Processes Except Allow Listed"
This generates reports showing all non-allowlisted processes, enabling you to review and allowlist legitimate applications before enforcement.

1.2 Enable Blocking for Unknown Processes

To enforce restrictions:

Select "Terminate Process If Not Allow Listed"
This blocks all non-allowlisted processes on the computer.

1.3 Enable User Notifications

To notify end-users when applications are blocked:

Select "Notify User When Process Is Terminated"
A popup notification will display when a process is terminated due to policy violation.

2. Configuring Allowlisting

To allowlist applications for end-user computers:Navigation: Analysis & Investigation → Artifact Analysis → Windows Artefacts → Windows Process Analysis

Procedure:

Locate the desired process
Right-click and select "App. Control Management"
Choose either:
- "Add to Host Process Allow List" — for individual computers
- "Add to Group Process Allow List" — for computer groups

3. Viewing and Managing Allowlisted Processes

To review, modify, or remove allowlisted processes:Navigation: Rules & Policies → Artifact Classification → Host-Group Based Permission List

Available Actions:

Click the three-dot menu (⋯) next to any process to:
- Edit the entry
- Remove from allowlist
- Delete the rule

4. Listing Application Allowlist Rules per Computer

To view or modify allowlist rules applied to a specific agent-installed computer:Navigation: Most Used → Asset Management

Procedure:

Locate the target computer

Click the "View Allow Listed Processes" icon next to the hostname

A new tab opens displaying all allowlisted processes for that computer, where you can:

View current rules
Modify entries
Remove processes
Update configurations

Task

Navigation Path

Activate Policy

Rules & Policies → Policy Management → Windows Threat Monitoring

Allowlist Processes

Analysis & Investigation → Artifact Analysis → Windows Artefacts → Windows Process Analysis

Manage Allowlists

Rules & Policies → Artifact Classification → Host-Group Based Permission List

Computer-Specific Rules

Most Used → Asset Management → [Computer] → View Allow Listed Processes

Blocked Processes

Most Used -> Asset Management -> Application Control Management

PreviousEnabling External Exposure Analysis NextAdministration Guide

Last updated 4 days ago

Was this helpful?

hashtag1. Activating the Policy

hashtag1.1 Enable Reporting for Unknown Processes

hashtag1.2 Enable Blocking for Unknown Processes

hashtag1.3 Enable User Notifications

hashtag2. Configuring Allowlisting

hashtag3. Viewing and Managing Allowlisted Processes

hashtag4. Listing Application Allowlist Rules per Computer

hashtagQuick Reference: Navigation Paths