Application Protection Rules alleviate compatibility and stability issues involving process hooking. It permits or blocks user-level API hooking for defined and generated lists of processes. Kernel–level file and registry hooking are not affected.
Host Intrusion Prevention provides a static list of processes that are permitted or blocked. This list is updated with content update releases. In addition, processes that are permitted to hook can be added dynamically to the list when process analysis is enabled. This analysis is performed:
This analysis involves checking first if the process is in the blocked list. If not, the permitted list is checked. If not in that list, the process is analyzed to see if it listens on a network port or runs as a service. If not, it is blocked; if it listens on a port or runs as a service, it is permitted to hook.
The IPS component maintains an information cache on running processes, which tracks hooking information. The firewall component determines if a process listens on a network port, calls an API exported by the IPS component, and passes the information to the API to be added to the monitored list. When the API is called, the IPS component locates the corresponding entry in its running processes list. A process that is not already hooked and is not part of the static block list is then hooked. The firewall provides the PID (Process ID), which is the key for the cache lookup of a process.
The API exported by the IPS component also allows the client UI to retrieve the list of currently hooked processes, which is updated whenever a process is hooked or unhooked. A hooked process will be unhooked if the console sends an updated process list that specifies that the already hooked process should no longer be hooked. When the process hooking list is updated, every process listed in the information cache of running processes is compared against the updated list. If the list indicates that a process should be hooked and it’s not already hooked, that process will be hooked. If the lists indicate that a process should not be hooked and it is already hooked, that process will be unhooked.
The process hooking lists can be viewed and edited on the Application Protection Rules tab. The client user interface, unlike the view on the IPS Rules policy, shows a list of all hooked application processes.
To create an application protection rule: