If you're having trouble blocking executable files using Application Block advanced rules in OneView, it could be due to misconfiguration of policies or rule parameters.
Initial troubleshooting
- Review the Requirements for Application Block in OneView.
- Ensure the Application Block rule is enabled for the corresponding endpoint policy.
- Verify the block rule matches the desired outcome.
- Check if the rule was applied to the endpoint locally by reviewing the file C:\ProgramData\Malwarebytes\MBAMService\config\AppControlConfig.json.
Testing an Application Block Rule and Troubleshooting
CAUTION - Advanced rules can block critical applications if not created correctly. We recommend you understand the full capabilities of advanced rules by creating a test advance rule on a single endpoint, prior to deploying one globally.
Below are a couple examples of configuring and troubleshooting an Application Block rule.
Block by file path
For the first demonstration, we are adding a block rule for the file path C:\users\*\downloads\chrome*.exe. This rule blocks any end user from running a file named chrome*.exe located under the root of the downloads folder.
- In OneView, navigate to Monitor > Application Block > Rules.
- Save the rule in OneView.
- Review the file "C:\ProgramData\Malwarebytes\MBAMService\config\AppControlConfig.json" and inspect if the file path rule is visible. On our endpoint, we can see that the advanced file path block rule has been applied.
- If the rule is not visible, send the Actions > Check for Protection Updates command via OneView to force the endpoint to check in.
- Test the rule by launching the ChromeSetup.exe file from Downloads. Attempting to launch the ChromeSetup.exe file should correctly block the exe.
- Next, try creating a subfolder in the Downloads folder with the same ChromeSetup.exe file inside. The exe is not blocked in this scenario because the Application Block rule only specified the root of the Downloads folder, not subfolders under Downloads.
- To block the file in all Downloads subfolders:
- Edit the rule.
- Click the + icon.
- Include file path C:\users\*\downloads\*\chrome*.exe.
Block by Common Name Certificate property
In this next example, we are blocking the Chrome file by using a more aggressive method, the Certificate Property by Common Name. This block method blocks any file on the endpoint that matches the specified Certificate Property Common Name, regardless of the file location. Since this is an aggressive rule, be sure to test on a single endpoint prior to deploying globally.
- In OneView, navigate to Monitor > Application Block > Rules.
- Retrieve the certificate information. For more information, see Get file information for Application Block rules in OneView.
- Add a block rule using the Certificate property rule type and Common name field name.
- Save the rule in OneView and test the advanced rule. We can see that files signed by Google LLC, regardless of their directory, are blocked from running.
Exclusion overriding block rule
When setting an Application Block rule by Category, admins can choose a whole category and exclude specific apps from it. These excluded apps won't be blocked on endpoints. If multiple rules apply, exclusions always override block rules, whether the rules are global or policy-specific.
If you need to remove an exclusion but can't recall which rule it's in:
- Go to Monitor > Application Block.
- Click Rules.
- Click the number in the Exclusions column to see the excluded applications..
- If the column is missing, click Add / Remove columns in the top-right and add it.
- If the column is missing, click Add / Remove columns in the top-right and add it.
- A pop-up displays which applications are excluded from the rule.
- Once you find the exclusion to remove, click its rule name to edit.
- Select the checkbox to start blocking the application.
- Repeat as needed with other Application Block rules.
Additional Notes
- Blocking Windows system exe and dll files is not supported. For example, cmd.exe and powershell.exe cannot be blocked.
- Msi files cannot be blocked.
- Files excluded from real-time protection are not blocked by Application Block.