Nexthink Application Library

Nexthink Application Library

The Application Library is an online service provided by Nexthink that maintains a knowledge database with security information and classification criteria for applications and web domains.

The Application Library works in collaboration with the Engine to update the fields of some types of objects in a process that is similar to tagging. The difference with tagging is that these fields are always present in the objects. Moreover, the possible values of the fields (the keywords) are not defined in a category, but predefined in the Application Library.

The Finder groups the fields that are automatically updated the Application Library under the section Nexthink Library of the appropriate objects. To be available, some of these fields require to have installed one of the optional Nexthink Modules. The objects that have such fields are listed below, along with the purpose of each field and an indication of the modules required (if any):

  • Binary (Security module)
    Application category
    Classify the type of application that owns the binary. Useful to know the kind of applications reports on software usage.
    Threat level
    Detection of untrusted and potentially dangerous binaries by comparing their digital footprint with the values of a continuously updated reference database that federates several antivirus applications. Useful for detecting malware.
  • Package
    Windows 7 (32-bit) compatibility
    Asseses the readiness of installed packages for migration to Windows 7 (32-bit). Useful in workplace transformation projects.
    Windows 7 (64-bit) compatibility
    Asseses the readiness of installed packages for migration to Windows 7 (64-bit). Useful in workplace transformation projects.
  • Domain (Web & Cloud and Security modules)
    Reputation
    Detection of accesses to potentially dangerous web sites by comparing the external domain names with the values of a continuously updated reference database that federates several security providers. Useful for detecting risky web browsing.
    Domain category
    Classify the type of web content offered inside a domain. Useful for discovery and browsing profiling.
    Hosting country
    Identify the country that hosts the servers of the external domains. Useful for characterization of the traffic and for security issues with blacklisted countries.

Connecting to the Application Library

The Engine must be connected to the Internet either directly or through a proxy to communicate with the Application library:

  • The Engine connects to the Application Library within 5 minutes after start up.
  • Following this first connection, binaries that have been active at least once in the last seven days are reevaluated every 24 hours.
  • For every new binary, package or domain that appears in the system, the Engine takes around 5 minutes to fetch its data from the Application Library.

Configure the Engine to enable or disable access to the Application Library.

Immediate alerts on Application Library fields

As just explained in the previous section, fetching data from the Application Library is not instantaneous. For that reason, immediate alerts that rely on the value of Application Library fields may fail to fulfill their purpose.

For instance, an immediate alert that is configured to detect the appearance of new binaries with high threat level in the system will fail to detect the first execution of such binaries. In effect, soon after the execution of a new binary and its creation in the Engine, the conditions of the immediate alert are evaluated. At that point, however, the Engine has not updated the threat level of the binary yet. It is only around 5 minutes later that the Engine connects to the Application Library and sets the value for the threat level.

Thus, the best practice in this case is to create an hourly alert in addition to the immediate alert and with the same conditions of the immediate alert. In this way, the first execution of a binary with a high threat level may escape the immediate alert, but will be detected by the hourly alert at the end of the current hour interval, once the Engine has set the correct threat level of the binary.