Denied Items

In this section:

About Denied Items

Add Denied items to rule sets to restrict access to specific items. The Denied items are displayed in the Denied Items list under a selected rule set.

If you are using the default option, which trusts all locally installed Trusted Owner applications, you only need to add specific applications that you do not want users to run. For instance, you can add administrative tools, such as management and registry editing tools.

You do not need to use this list to deny applications that are not owned by an administrator because they are blocked by trusted ownership checking.

Application Control drag and drop functionality can be used to add files, folders, drives and signature items from Windows Explorer or copy or move items between the Allowed Items node and Denied Items nodes in each of the main configuration nodes.

File

If a filename alone is specified, for example, myapp.exe, then all instances of this are denied regardless of the location of the application. If the file is specified with the full path, for example, \\servername\sharename\myapp.exe, then only this instance of the application is denied.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Denied > File.
    The Add a File dialog displays.
  3. In the Properties tab, click the ellipsis (...) in the text box:
  4. In the Open dialog, navigate to the file that you want to add and click OK.
    If required, you can select the following:
    • Substitute environment variables where possible
    • Use regular expression
  5. Enter optional command line arguments in the Arguments text box. Enter all arguments as they appear in Process Explorer.
    Command line arguments extend the matching criteria beyond what is entered in the File field. If an argument is added, both file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such as flags, switches, files, and Guids, can be added.

Denied File

Allowed File

Result

shutdown.exe

shutdown.exe

Arguments: -r -t 30

shutdown.exe runs only when -r -t 30 is on the command line - anything else run by shutdown.exe is denied.

To configure the arguments of an allowed or denied item correctly, they must appear as they do in Process Explorer for example:

File: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command line: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\example.docx

Would be configured as:

File: Absolute or relative path of winword.exe

Arguments: /n C:\example.docx

  1. If required, enter an optional description of the file for your future reference.
  2. Select Do not show access denied message when denied to silently block the file without the user being informed.
  3. Select Ignore Event Filtering to raise all events regardless of what has been set in the Events Selection.
  4. To add metadata to the file, select the Metadata tab.
  5. To automatically complete the fields select Populate metadata from file.

    6. The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.

    You can refine any of the data; select the required check box and edit the fields.

    If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.

    For further information, see Verify Options.

  6. Click Add to add the file to the Denied executables for the rule set.
    The file is added to the Denied Items work area.

Folder

A complete folder may be specified, for example, \\servername\servershare\myfolder, and all applications within this folder, and all subfolders are denied. No checks are made on the files within the folder and as such any file copied into this folder will be denied.

If you add a network file or folder path you must use the UNC name, as the Application Control agent ignores any paths that are configured where the Drive letter is not a local fixed disk. The user can access the network application through a network mapped drive letter, as the path is converted to UNC format before validating it against the configuration settings. Wildcards support provides an additional level of control for specifying generic file paths.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Denied > Folder.
    The Add a Folder dialog displays.
  3. In the Properties tab, click the ellipsis (...) in the text box:
  4. In the Open dialog, navigate to the folder that you want to add and click OK.
    If required, you can select the following:
    • Substitute environment variables where possible
    • Use regular expression
    • Include subfolders
  5. If required, enter an optional description of the folder for your future reference.
  6. Select Do not show access denied message when denied to silently block the folder without the user being informed.
  7. Select Ignore Event Filtering to raise all events regardless of what has been set in the Events Selection.
  8. To add metadata to the folder, select the Metadata tab:
  9. To automatically complete the fields select Populate metadata from file.

    10. The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.

    You can refine any of the data; select the required check box and edit the fields.

    If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.

    For further information, see Verify Options.

  10. Click Add to add the folder to the Denied executable folders for the rule set.
    The folder is added to the Denied work area.

Drive

You can specify a complete drive, for example, W, and all the applications on this drive, including subfolders, are denied. No checks are made on the files in the drive so any file copied into any folder on this drive is denied.

Enables you to specify denied executable drives.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Denied > Drive.
    The Add a Drive dialog displays.
  3. Enter the Drive letter you want to deny and a description.
  4. Select Do not show access denied message when denied to silently block the drive without the user being informed.
  5. Click Add to add the drive item to the Denied executables list.

File Hash

A file may be added along with a digital hash of the file. This ensures that only that particular file will be denied but from any location.

Enables you to add denied executable items by a file hash.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Denied > File Hash.
    The Add a File Hash dialog displays.
  3. In the Properties tab, click the ellipsis (...) in the text box:
  4. In the Open dialog, navigate to the file hash that you want to add and click OK.
  5. Enter optional command line arguments in the Arguments text box. Enter all arguments as they appear in Process Explorer.
    Command line arguments extend the matching criteria beyond what is entered in the File field. If an argument is added, both file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such as flags, switches, files, and Guids, can be added.
  6. If required, enter an optional description of the file hash for your future reference.
  7. The file hash value is displayed, select Rescan to update the file hash.
  8. Select Do not show access denied message when denied to silently block the file without the user being informed.
  9. Select Ignore Event Filtering to raise all events regardless of what has been set in the Events Selection.
  10. Click Add to add the file hash to the Denied File Hash items for the rule set.
    The file hash item is added to the Denied work area

Rule Collection

Rule Collections can contain any number and combination of items, for example, the File, Folder, Drive, Signature, and Network for a particular application. All files are denied.

  1. Select the Executable Control node for a rule set.
  2. Right-click and select Denied > Rule Collection.
    The Rule Collection Selection dialog displays.
  3. Select the Add to Rule check box for the collection(s) that you want to the rule set.
  4. Once you have selected a collection you can select:
    • Silent Deny - blocks the items without any message being displayed.
    • Ignore Event Filtering - raises all events regardless of what has been set in the Events Selection.
  5. Click OK to add the collection(s) to the Denied Rule Collections for the rule set.
    The Rule collection is added to the Denied work area.

Related Topics

Allowed Items