Faronics Anti-Executable Enterprise: Complete Deployment Guide

How to Configure Faronics Anti-Executable Enterprise: Best Practices

Inventory: Scan endpoints to list OS versions, installed applications, user roles, and hardware.
Scope: Start with a pilot group (10–50 devices) representing different OSes and user types.
Policy model: Choose whitelist-by-default for highest security; consider hybrid (whitelist for workstations, more permissive for developer machines).
Backups & rollback: Ensure system restore points and configuration backups exist and document rollback steps.

Server components: Install the Anti-Executable Enterprise Console on a dedicated management server with recommended resources.
Agent deployment: Use your existing software distribution (SCCM, Intune, GPO) to deploy agents to pilot endpoints.
Console access: Restrict console access with strong admin accounts; enable MFA if available.

Automated discovery: Run an initial discovery scan in “learning” or “monitor” mode to capture legitimate application usage without blocking.
Cataloging: Classify discovered executables as trusted, unknown, or malicious. Prioritize common system binaries and productivity apps for immediate trust rules.
Hashing & signing: Prefer publisher-signature and certificate rules over simple hashes where possible to reduce maintenance.

Least privilege: Create policies that allow only the minimum required applications and scripts per user group.
Rule types: Use a combination of publisher rules, path rules, hash rules, and folder exclusions to balance security and manageability.
Default deny: Implement default-deny for executable launches; explicitly allow required apps.
Script control: Restrict script interpreters (PowerShell, cmd, Python, scripts) and allow signed or approved scripts only.

Pilot validation: Run pilot in report-only mode for 1–2 weeks, review blocked attempts, and adjust rules.
Staged rollout: Expand to larger groups incrementally (e.g., by department) and monitor for business-impacting blocks.
Communication: Notify users about upcoming enforcement and provide a simple request process for blocked apps.

Approval workflow: Define a fast approval path for legitimate blocked apps (ticketing integration recommended).
Temporary exceptions: Use time-limited exceptions for testing new apps; avoid permanent wide exceptions.
Whitelist hygiene: Periodically review whitelisted entries, removing unused or risky allowances.

Central logging: Forward Anti-Executable logs to your SIEM for correlation and long-term retention.
Alerting: Create alerts for repeated blocked attempts, new unsigned executables, or tampering of agents.
Forensics: Keep executable samples and hashes when investigating incidents; snapshot affected endpoints if needed.

Policy reviews: Quarterly policy reviews to adjust for new business needs and software updates.
Agent & console updates: Apply product updates and patches promptly, testing on a small group first.
Certificate management: Monitor code-signing certificate expirations and update publisher rules accordingly.

Resource tuning: Ensure endpoints meet minimum resource requirements; adjust scan schedules to off-peak hours.
High availability: If supported, configure redundant management servers and backup consoles.

Audit trails: Maintain change logs for policy updates and exception approvals.
Documentation: Document baseline policies, rollout plan, exception workflows, and rollback procedures for audits.