Denied Item nodes are sub-nodes automatically created in any Rule node when you create a new rule. They allow you to add items to which the groups, users and devices specified in the rule are refused access.
If you are using the default option, which trusts all locally installed Trusted Owner applications, you only need to add specific applications that you do not want users to run. For instance, you can add administrative tools, such as management and registry editing tools.
You do not need to use this list to deny applications that are not owned by an administrator because they are blocked by trusted ownership checking.
Application Control drag and drop functionality can be used to add files, folders, drives and signature items from Windows Explorer or copy or move items between the Allowed Items node and Denied Items nodes in each of the main configuration nodes.
You can add the following items:
If a filename alone is specified, for example, myapp.exe, then all instances of this are denied regardless of the location of the application. If the file is specified with the full path, for example, \\servername\sharename\myapp.exe, then only this instance of the application is denied. Other instances of this application need to satisfy other Application Control rules to be granted execution. For the files and folders in Application Control that refer to items on a DFS share you need to specify the target server, rather than the Namespace server in the UNC path.
For more information, see Distributed File Systems.
A complete folder may be specified, for example, \\servername\servershare\myfolder, and all applications within this folder, and all subfolders are denied. No checks are made on the files within the folder and as such any file copied into this folder will be denied. Select Include subdirectories to include all directories beneath the specified directory. If you add a network file or folder path you must use the UNC name, as the Application Control agent ignores any paths that are configured where the Drive letter is not a local fixed disk. The user can access the network application through a network mapped drive letter, as the path is converted to UNC format before validating it against the configuration settings. To automatically apply environment variables, select Substitute environment variables where possible in the Add a file or Add a folder dialogs. This makes the paths more generic for applying on different machines. Wildcards support provides an additional level of control for specifying generic file paths.
You can specify a complete drive, for example, W, and all the applications on this drive, including subfolders, are denied. No checks are made on the files in the drive so any file copied into any folder on this drive is denied.
A file may be added along with a digital hash of the file. This ensures that only that particular file may be executed but from any location. For more information, see Signature Hashing.
A Network Connection Item can be specified. All files on the network are denied.
Choose which Windows Store apps are denied. You can select one of the following:
- Allow All Installed Apps
- Allow the selected Individual Apps
- Allow all apps by a named Publisher
Groups can contain any number and combination of items, for example, the File, Folder, Drive, Signature, and Network for a particular application. All files are denied.
To add an item, select the Denied Items node and click the Add Itemdrop-down arrow on the Rule Items ribbon, select Deniedand select the type of Denied Item you want to add.
This task prevents all users accessing an application on a network share:
- Select the Denied Items node in Rules > Group > Everyone.
- Click Add Item in the Rule Items ribbon and select Denied.
Select the item that you want to make allowed, for example File.
The Add a File dialog displays.
Enter or browse for the file to be denied.
- The Substitute environment variables where possible checkbox is selected by default. If it is not selected, environment variables will not be replaced with a generic environment variable.
- Select Do not show access denied message when denied if you want to silently deny the item and not to display any warning message to the user.
- Select Ignore Audit Event filtering if you want to capture all events for this item regardless of what is set in Event filtering.
- The Item is added to the Denied Items work area.
If you want to disable a specific rule item, highlight the item, right-click and select Change State. This toggles between disable and enable. This can be useful when needing to trouble shoot with Support.
- Select the item to remove in the Denied Items node.
- In the Rule Items ribbon, click Remove Item.
- Click Yes in the confirmation dialog.
The item is removed from the node.