eG Monitoring
 

Measures reported by AppLockerMsiTest

AppLocker helps administrators create rules to allow or deny the applications from running based on unique identities of files and to specify which applications and files users can run. The AppLocker can control the executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx). By defining the rules, administrsators can allow/restrict a specific user or group from executing the files. Hence, only the authorized users or groups will be allowed to run the files on the server. If the AppLocker rule is not applied properly or the AppLocker is disabled abruptly, it will lead to security breach in the organization and will allow unauthorized users to critical data. As a result, sensitive information of the organization could easily be deleted or stolen if the user knowingly or unknowingly runs malicious software. To avoid such eventualities, it is imperative that the activities of the AppLocker should be monitored continuously. This is where the AppLockerMsiTest test helps administrators.

This test monitors the AppLocker log file to which the activities of the AppLocker are logged. The AppLocker log file contains information about the applications and files that are affected by AppLocker rules. This test parses the information on Windows Installer files and scripts files in the log file based on the configured patterns, and alerts administrators whenever such entries are found in the log file.

Outputs of the test : One set of results for the target Windows host.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Information_count Indicates the number of AppLocker information events generated when the test was last executed. Number A change in the value of this measure may indicate infrequent but successful operations performed by one or more applications.
Warning_count Indicates the number of AppLocker warnings that were generated when the test was last executed. Number A high value of this measure indicates application problems that may not have an immediate impact, but may cause future problems in one or more applications.
Critical_count Indicates the number of AppLocker critical error events that were generated when the test was last executed. Number A very low value (zero) indicates that the system is in a healthy state and all applications are running smoothly without any potential problems. An increasing trend or high value indicates the existence of fatal/irrepairable problems in one or more applications.
Error_count Indicates the number of AppLocker error events that were generated during the last measurement period. Number A very low value (zero) indicates that the system is in a healthy state and all applications are running smoothly without any potential problems. An increasing trend or high value indicates the existence of problems like loss of functionality or data in one or more applications.
Verbose_count Indicates the number of AppLocker verbose events that were generated when the test was last executed. Number The detailed diagnosis of this measure describes all the verbose events that were generated during the last measurement period.