You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the Elastic Defend integration.
Trusted applications create blindspots for Elastic Defend, because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application’s process.
Trusted applications might still generate alerts in some cases, such as if the application’s process events indicate malicious behavior. To reduce false positive alerts, add an Endpoint alert exception, which prevents Elastic Defend from generating alerts. To compare trusted applications with other endpoint artifacts, refer to Optimize Elastic Defend.
By default, a trusted application is recognized globally across all hosts running Elastic Defend. If you have a Platinum or Enterprise subscription, you can also assign a trusted application to a specific Elastic Defend integration policy, enabling the application to be trusted by only the hosts assigned to that policy.
To add a trusted application:
- Go to Manage → Trusted applications.
- Click Add trusted application.
Fill in the following fields in the Add trusted application flyout:
Name your trusted application: Enter a name for the trusted application.
Description(Optional): Enter a description for the trusted application.
Select operating system: Select the appropriate operating system from the drop-down.
Field: Select a field to identify the trusted application:
Hash: The MD5, SHA-1, or SHA-256 hash value of the application’s executable.
Path: The full file path of the application’s executable.
Signature: (Windows only) The name of the application’s digital signer.
To find the signer’s name for an application, go to Kibana → Discover and query the process name of the application’s executable (for example,
process.name : "mctray.exe"for a McAfee security binary). Then, search the results for the
process.code_signature.subject_namefield, which contains the signer’s name (for example,
Operator: Select an operator to define the condition:
is: Must be exactly equal to
Value. This operation is required for the
matches: Can include wildcards in
Value, such as
C:\path\*\app.exe. This option is only available for the
Pathfield type. Available wildcards are
?(match one character) and
*(match zero or more characters).
Value: Enter the hash value, file path, or signer name. To add an additional value, click AND.
You can only add a single field type value per trusted application. For example, if you try to add two
Pathvalues, you’ll get an error message. Also, an application’s hash value must be valid to add it as a trusted application. In addition, to minimize visibility gaps in the Elastic Security app, be as specific as possible in your entries. For example, combine
Signatureinformation with a known
Select an option in the Assignment section to assign the trusted application to a specific integration policy:
Global: Assign the trusted application to all integration policies for Elastic Defend.
Per Policy(Platinum or Enterprise subscription only): Assign the trusted application to one or more specific Elastic Defend integration policies. Select each policy in which you want the application to be trusted.
You can also select the
Per Policyoption without immediately assigning a policy to the trusted application. For example, you could do this to create and review your trusted application configurations before putting them into action with a policy.
- Click Add trusted application. The application is added to the Trusted applications list.
View and manage trusted applicationsedit
The Trusted applications page displays all the trusted applications that have been added to the Elastic Security app. To refine the list, use the search bar to search by name, description, or field value.
Edit a trusted applicationedit
You can individually modify each trusted application. With a Platinum or Enterprise subscription, you can also change the policies that a trusted application is assigned to.
To edit a trusted application:
- Click the actions menu (…) on the trusted application you want to edit, then select Edit trusted application.
- Modify details as needed.
- Click Save.
Delete a trusted applicationedit
You can delete a trusted application, which removes it entirely from all Elastic Defend integration policies.
To delete a trusted application:
- Click the actions menu (…) on the trusted application you want to delete, then select Delete trusted application.
- On the dialog that opens, verify that you are removing the correct application, then click Delete. A confirmation message is displayed.