Denied Items

In this section:

About Denied Items

Add Denied items to rule sets to restrict access to specific items. The Denied items are displayed in the Denied Items list under a selected rule set.

If you are using the default option, which trusts all locally installed Trusted Owner applications, you only need to add specific applications that you do not want users to run. For instance, you can add administrative tools, such as management and registry editing tools.

You do not need to use this list to deny applications that are not owned by an administrator because they are blocked by trusted ownership checking.

Application Control drag and drop functionality can be used to add files, folders, drives and signature items from Windows Explorer or copy or move items between the Allowed Items node and Denied Items nodes in each of the main configuration nodes.


If a filename alone is specified, for example, myapp.exe, then all instances of this are denied regardless of the location of the application. If the file is specified with the full path, for example, \\servername\sharename\myapp.exe, then only this instance of the application is denied.


A complete folder may be specified, for example, \\servername\servershare\myfolder, and all applications within this folder, and all subfolders are denied. No checks are made on the files within the folder and as such any file copied into this folder will be denied.

If you add a network file or folder path you must use the UNC name, as the Application Control agent ignores any paths that are configured where the Drive letter is not a local fixed disk. The user can access the network application through a network mapped drive letter, as the path is converted to UNC format before validating it against the configuration settings. Wildcards support provides an additional level of control for specifying generic file paths.


You can specify a complete drive, for example, W, and all the applications on this drive, including subfolders, are denied. No checks are made on the files in the drive so any file copied into any folder on this drive is denied.

File Hash

A file may be added along with a digital hash of the file. This ensures that only that particular file will be denied but from any location.

Rule Collection

Rule Collections can contain any number and combination of items, for example, the File, Folder, Drive, Signature, and Network for a particular application. All files are denied.

Related Topics

Allowed Items