Rules in Application Block define which software applications and executables are blocked across your endpoints. Multiple rules can be applied to a single policy, which then applies to all endpoints under that policy. There is no priority order between rules — all rules are block rules.
Create Application Block rule
- Go to Monitor > Application Block > Rules tab.
- Click New.
- Enter a unique name for the rule to help identify and manage it later.
- Select from the following options on how to apply your block rule:
- Global - All endpoints: This rule applies to all endpoints that have the policy setting enabled regardless of what policy the endpoint is assigned.
-
Policy
-
Specific: This rule applies to all endpoints assigned to the selected policies.
All except: This rule applies to all endpoints not assigned to the selected policies.
-
Specific: This rule applies to all endpoints assigned to the selected policies.
- Select a Rule type and configure it. See the sections below.
- Click Save. The rule is applied immediately to endpoints with Application Block enabled.
Basic rules
Basic rules block applications by name, vendor, or category. They cannot block portable applications, use an advanced rule for those.
| Rule type | What it blocks | How to configure |
|---|---|---|
| Application | Specific installed applications | Select applications from the provided list |
| Vendor | All applications from a specific vendor | Select vendors from the provided list |
| Category | A predefined category of applications (e.g., Remote Control) |
Select a category; uncheck individual apps to exclude them from the block. To see which rules have an exclusion, use the Exclusions column on the Rules tab. If you don't see this column, click Add / Remove columns and select it to add it. |
Advanced rules
Advanced rules block applications using file metadata. On the rule creation page, toggle on Advanced rules to access these options.
CAUTION - Do not use general names for property descriptions such as Photoshop for Adobe applications. This may impact other applications which use photoshop.
| Rule type | What it matches | How to configure |
|---|---|---|
| File path | The file's location on disk | Enter the file path. Use a wildcard if needed (e.g., C:\Users\*\Downloads\app.exe). For more information, see the Wildcards syntax section below. |
| File property | File metadata (e.g., product name, description) | Select a file property name and enter a value. Multiple properties are treated as OR conditions. |
| Certificate property | Certificate values associated with the application | Select a certificate property name and enter a value. Multiple properties are treated as OR conditions. |
| Hash value | MD5, SHA-1, or SHA-256 hash + file size in bytes | Enter the hash value and file size in bytes. |
To look up file properties, certificate details, hash values, or file sizes, see Get file information for Application Block rules in Nebula.
Wildcards syntax
The ?:\ wildcard matches any drive letter on a Windows endpoint. To match any folder on any drive, use ?:\**\. For user profile paths, ?:\Users\*\AppData\ matches the AppData folder across all user profiles.
When creating rules, keep in mind that a path like ?:\**\XYZ.exe will block the executable from running in any location except the root of the drive. To ensure full coverage, add ?:\XYZ.exe as an additional rule alongside it.
To block all applications within a specific folder, use ?:\{folder}\* — any application inside that folder will be prevented from running.
Return to Application Block guide for Nebula.