PGP Endpoint Application Control

Overview

The battle to protect your network from malware can seem insurmountable.

PGP® Endpoint Application Control provides granular, policy-based enforcement of application use to proactively secure endpoints from data leakage, malware, spyware, keyloggers, Trojans, rootkits, worms and viruses, zero-day threats and unwanted or unlicensed software. With PGP Endpoint Application Control, administrators can centrally manage, monitor, and control applications with a whitelist approach that allows only authorized applications to run, ensuring no unwanted or unlicensed software will execute on the corporate network and disrupt business.

• Reduces the risk of a data breach –Ensures sensitive corporate data is not compromised by unauthorized and malicious software.
• Proactive and automatic protection - Reduces helpdesk and administrative burdens. Provides automatic, zero-day protection from known and unknown application threats.
• Supports Compliance–Detailed audits of application execution assist in demonstrating compliance.
• Business continuity–Prevents business downtime caused by proliferation of malicious software applications.
• Transparent user experience–Automatic and background operation ensures user productivity is unaffected.

Technical Specifications

Supported Operating Systems

PGP Endpoint Client

• Microsoft Windows 7 (32-bit and 64-bit editions)
• Microsoft Windows XP Professional Service Pack 2 or
  higher (SP2+) (32- and 64-bit)
• Microsoft Windows Vista SP1+ (32- and 64-bit)
• Microsoft Windows XP Embedded (XPe) (32-bit)
• Microsoft Windows Embedded Point of Service (WEPOS)
  (32-bit)
• Microsoft Windows XP Tablet PC Edition (32-bit)
• Citrix Access Gateway™ 4.5
• Citrix Presentation Server™ 4.0 for Windows Server 2003
  SP1/SR2+ (32-bit)
• Citrix Presentation Server 4.5 for Windows Server 2003
  SP1/SR2+ (32- and 64-bit)
• Microsoft Windows® Server 2000 Service Pack 4 or higher
  (SP4+) (32-bit)
• Microsoft Windows 2000 Professional SP4+ (32-bit)
• Microsoft Windows Server 2003 SP1/SR2+ (32- and
  64-bit)

PGP Endpoint Administration Server

• VMware and Microsoft Windows Server 2008 Hyper-V virtual platforms
• Windows Server 2008 (32-bit and 64-bit)
• Windows Server 2008 R2 (64-bit only)
• Windows Server 2003 SP1/SR2
• Windows 2000 Server SP4

PGP Endpoint Administration Server Console (GUI client for PGP Endpoint Administration Server)

• Microsoft Windows 7 (32- and 64-bit)
• Microsoft Windows Server 2008 (32-bit and 64-bit)
• Microsoft Windows Server 2008 R2 (64-bit only)
• Microsoft Windows XP Professional SP2+ (32-bit)
• Microsoft Windows Server 2003 SP1/SR2+ (32-bit)
• Microsoft Windows Vista™ SP1+ (32- and 64-bit)

Database

• SQL Server 2008
• SQL Server 2008 Express Edition
• SQL 2005 Express SP2 (free)
• SQL Server 2005 SP2 (32bit and 64-bit versions)
• SQL Server 2000 SP4

Supported Languages

The following languages are supported for the status, permissions, and notification information on PGP® Endpoint client machines:

• English
• Dutch
• French
• German
• Italian
• Japanese
• Portuguese
• Russian
• Simplified Chinese
• Spanish
• Swedish
• Traditional Chinese

FAQ

General

What is PGP Endpoint Application Control and why is it important?

PGP® Endpoint Application Control prevents unauthorized or malicious software from running on your system.

What business problem does PGP Endpoint Application Control solve?

PGP Endpoint Application Control is designed for organizations that wish to proactively protect against the risk of compromised data and disrupted business due to unauthorized or malicious software and demonstrate compliance, without the need to constantly update and maintain systems to protect against known and unknown threats.

How does PGP Endpoint Application Control work? What is the end-user experience?

Once PGP Endpoint Application Control is deployed, its operation is completely transparent.

• Background protection: Users continue to work as usual. The software automatically protects against unauthorized and malicious software applications ensuring data protection without requiring user intervention.
• Single Sign-on: Integration with Microsoft Active Directory and Novell eDirectory enable users to login with existing credentials, ensuring data protection without burdening the user with remembering additional authentication credentials.
• Local authorization: Users have the ability to authorize applications without compromising administrative oversight. Detailed logs and audit trails track all application activity.

How does PGP Endpoint Application Control fit into the PGP Platform?

PGP Endpoint Application Control is an extension of the PGP Platform. The PGP Platform provides an enterprise encryption framework for shared user management, policy, and provisioning that is automated across multiple, integrated encryption applications. Together with PGP Whole Disk Encryption, PGP Endpoint Device Control and PGP Endpoint Application Control provide the enterprise with a complete endpoint data loss prevention solution.

Technical

What operating systems are supported?

For a detailed list of operating systems and other technical specifications, please refer to the PGP Endpoint Application Control Technical Specifications.

What is client hardening, and why is it important?

The PGP Endpoint Application Control client is a hardened client. Client hardening prevents unauthorized un-installation or tampering of the client software; only an administrator can remove a hardened client. This prevents unauthorized users from removing protections that are in place.

What is a whitelist approach? Why is it important?

A whitelist is a list of accepted items or persons in a set. This list is inclusionary, confirming that the item being analyzed is acceptable. It is the opposite of a blacklist which confirms that items are not acceptable. By using a whitelist approach, enterprises can literally turn their backs on the volumes of unwanted applications, malware, and unauthorized devices and instead focus on what is authorized and approved.

What is a kernel level driver and why does PGP Endpoint Application Control install this?

A kernel level driver runs at the operating system kernel level. It is difficult for user mode software to penetrate and bypass kernel level drivers. Kernel level drivers also improve performance when compared to user level drivers. PGP Endpoint Application Control installs a kernel level driver to intercept device access and binary execution requests at the kernel.

Does PGP Endpoint Application Control use the Microsoft Windows domain SAM (Security Account Manager) or is another database required?

The SAM (Security Account Manager) is a component of Windows NT/2000/XP/2003 that stores and manages the user account database. This database contains information for all user and group accounts. SAM also provides user validation services, which are used by the Local Security Authority. PGP Endpoint Application Control uses the SAM but stores a copy of selected parts of users, groups, and computer accounts in the PGP Endpoint Application Control database. The PGP Endpoint Application Control database also holds the relationships between users/groups/machines and specific permissions. Storing this information in a database rather than accessing the SAM each time that user/group/computer information is required offers several advantages: Besides offering far better performance than direct SAM accesses, it also reduces the load on the Domain Controllers and minimizes network traffic. For a list of supported databases, please refer to the PGP Endpoint Application Control Technical Specifications.

Does PGP Endpoint Application Control write to the Windows event log?

PGP Endpoint Application Control provides an option that allows you to log attempts to use a device to the Windows Event Log, which can be used by several third party programs to group and manage events on a more centralized basis.

What languages does PGP Endpoint Application Control support?

PGP Endpoint Application Control supports many languages. Please refer to the technical specifications for more information.

Does PGP Endpoint Application Control need regular updates for known viruses?

PGP Endpoint Application Control does not need any update, as it ignores all unknown files; a new virus will simply be treated as yet another unknown file. You focus on which files you want your users to run. Everything and anything else will be denied execution.

What kinds of threats does PGP Endpoint Application Control prevent?

• Binary Executable Viruses (known and unknown)
• Trojan Horses
• Illegal Software
• Games
• Hacking and cracking tools
• Malware and Spyware
• Peripherals Drivers (Windows embedded drivers or 3rd party drivers)
• Parts of the OS if wanted (Messenger, Internet Explorer plugins, FTP, etc)

Does PGP Endpoint Application Control interfere with other systems or application software?

No.PGP Endpoint Application Control operates transparently and does not interfere with the operating system or other application software.

Does PGP Endpoint Application Control integrate with LDAP directories?

Yes. PGP Endpoint Application Control is compatible with Microsoft® Active Directory and Novell® eDirectory.

Does PGP Endpoint Application Control work with systems management tools?

Yes. PGP Endpoint is compatible with system management tools such as Microsoft SMS that support Microsoft MSI installers.

How much administration does PGP Endpoint Application Control require?

There is no one-size-fits-all. The administration depends on the complexity of the policies set, how dynamic the client environment is, etc. Once up and running in a relatively stable environment, it requires only monitoring.

Does PGP Endpoint Application Control require PGP Universal Server?

No. PGP Endpoint Application Control is centrally managed by the PGP Endpoint Administration Server (included with PGP Endpoint Application Control).

Where can I find release notes and other product-related documentation?

Release Notes and Quick Start Guides are available at http://support.pgp.com/?faq=589. In addition, customers with a current support contract can download User, Administrator, and Developer Guides from the same link.