Block Executable

Table of Contents

1. What is Block Executable
2. Create/Remove Policy
3. Block Executable for All Computers
4. Block Executable for Specific Computers
5. Troubleshooting Tips

IT admins always handle a lots of software and applications for their IT. With a lot of applications to handle, IT admins will have the need to restrict the usage of certain applications, IT admins can leverage the Block Executable capability of Endpoint Central.

What is Block Executable

Block Executable is the capability using which IT admins can restrict the initialization and working of an executable. This blocks the running of exe which are launched without installation on the network. All the file formats supported under Windows "Software Restriction Policy" can be blocked using Endpoint Central. If in case, a software is to be prohibited from your network, prohibited software can be configured to achieve the same.

Block an Executable

1. Using Path Rule
2. Using Hash Rule

Check these pre-requisites to deploy a block executable rule

• Local Group Policy should be enabled on the target machine
• Default security Policy should be set as "Unrestricted"
• Local Group Policy should be enabled for Administrator

Click here to watch the video:

Creating and Removing a Policy

1. To create a Block Executable rule, navigate to Inventory > Block Executable > Add Policy.
2. Add Custom Group(s) to which this rule is to be applied.
3. Next, add the executable that needs to be blocked using either a Path Rule or Hash Rule

To remove a rule, navigate to Inventory > Block Executable and select the policies you wish to remove and click the "Remove Policy" button.

Block using Path Rule

IT admins can block an executable using the Path Rule when the targeted file name/path name remains static. Path Rule works on the logic of filename and it's extensions. Rename or relocation of the file will lead to failure of execution of the rule applied. This rule can be used to block applications even if they are not available in your network. With the help of path rule, all the versions of the specified application can be blocked. For example, when block executable is configured for Google Chrome based on Path Rule for a specific version, all the versions of the Google Chrome will be blocked.

Block using Hash Value

Hash is a unique value, that represents the executable. Blocking an executable using Hash Rule will restrict the application, irrespective of any changes to that application. IT admins should compute the Hash value for the targeted application and add it to the rule to block that executable.

Block Executable for All Computers

Endpoint Central by default has a custom group named "All Computers Group", which contains all the managed computers. If you want to block an executable for all the managed computers, then you can choose the default Custom Group and select the executable, which needs to be blocked. If you want to block the executable for a selected target, follow the below method.

Block Executable for Specific Computers

To block an executable for specific target, create a new custom group or use the existing custom groups. Custom groups can be of any type such as, unique or static or dynamic. You can block executable by choosing custom group which contains computers.

Block executable does not support blocking executable which are initiated by the system.

Troubleshooting Tips:

1. How to enable Local Group Policy on the target machine?
   Perform the following actions manually on the target computer:
   1. Go to Run

   2. Type gpedit.msc

   3. Click Group Policy

   4. Click on "Turn Off Local Group Policy Objects Processing" as shown below.
      
      

   5. Ensure that you have chosen "Not Configured" as shown in the below image.
      
      You have now enabled Local Group Policy on the target machine.

2. How to enable Local Group Policy on the target computer?
   
   Perform the following actions manually on the target computer:
   1. Go to Run

   2. Type gpedit.msc

   3. Right Click on "Local Computer Policy", Choose Properties to ensure that "Disable Computer Configuration Settings" is not selected.
      
      You have now enabled Local Group Policy on the target computer.
3. How to set the Default security Policy as "Unrestricted"
   Perform the following actions on the target computer:
   1. Go to Run

   2. Type gpedit.msc

   3. Click "Security Levels" and double click "Unrestricted" as shown below
      
   4. Ensure that the status is set as "Default" as mentioned in the image below.
   
   You have now enabled Local Group Policy on the target computer.
4. How to enable Local Group Policy for the Administrator?
   Perform the following actions on the target computer:
   1. Go to Run

   2. Type gpedit.msc

   3. Click "Software Restriction Policy"

   4. Double click  "Enforcement" to ensure that "All Users" is selected as shown in the image below
      
      You have now enabled Local Group Policy for Administrators.