If you're having trouble blocking executable files using Application Block advanced rules in Nebula, it could be due to misconfiguration of policies or rule parameters.
Initial troubleshooting
- Review the Requirements for Application Block in Nebula.
- Ensure the Application Block rule is enabled for the corresponding endpoint policy.
- Verify the block rule matches the desired outcome.
- Check if the rule was applied to the endpoint locally by reviewing the file C:\ProgramData\Malwarebytes\MBAMService\config\AppControlConfig.json.
Testing an Application Block Rule and Troubleshooting
CAUTION - Advanced rules can block critical applications if not created correctly. We recommend you understand the full capabilities of advanced rules by creating a test advance rule on a single endpoint, prior to deploying one globally.
Below are a couple examples of configuring and troubleshooting an Application Block rule.
Block by file path
For the first demonstration, we are adding a block rule for the file path C:\users\*\downloads\chrome*.exe. This rule blocks any end user from running a file named chrome*.exe located under the root of the downloads folder.
- In Nebula, navigate to Monitor > Application Block > Rules.
- Save the rule in Nebula.
- Review the file "C:\ProgramData\Malwarebytes\MBAMService\config\AppControlConfig.json" and inspect if the file path rule is visible. On our endpoint, we can see that the advanced file path block rule has been applied.
- If the rule is not visible, send the Actions > Check for Protection Updates command via Nebula to force the endpoint to check in.
- Test the rule by launching the ChromeSetup.exe file from Downloads. Attempting to launch the ChromeSetup.exe file should correctly block the exe.
- Next, try creating a subfolder in the Downloads folder with the same ChromeSetup.exe file inside. The exe is not blocked in this scenario because the Application Block rule only specified the root of the Downloads folder, not subfolders under Downloads.
- To block the file in all Downloads subfolders:
- Edit the rule.
- Click the + icon.
- Include file path C:\users\*\downloads\*\chrome*.exe.
Block by Common Name Certificate property
In this next example, we are blocking the Chrome file by using a more aggressive method, the Certificate Property by Common Name. This block method blocks any file on the endpoint that matches the specified Certificate Property Common Name, regardless of the file location. Since this is an aggressive rule, be sure to test on a single endpoint prior to deploying globally.
- In Nebula, navigate to Monitor > Application Block > Rules.
- Retrieve the certificate information. For more information, see Get file information for Application Block rules in Nebula.
- Add a block rule using the Certificate property rule type and Common name field name.
- Save the rule in Nebula and test the advanced rule. We can see that files signed by Google LLC, regardless of their directory, are blocked from running.
Additional Notes
- Blocking Windows system exe and dll files is not supported. For example, cmd.exe and powershell.exe cannot be blocked.
- Msi files cannot be blocked.
- Files excluded from real-time protection are not blocked by Application Block.