Add Blacklist (Application Control) rules

Blacklist rules define the list of applications and the processes that are 'not' allowed to run/spawn on a host. Blacklisted applications and processes are the undesired and harmful (or unknown) applications and processes; running these on the host can compromise the host and user activities on the host. You can set the Blacklist rules to run in Monitor mode (Blacklisted applications and processes are allowed to run, but violations are reported) or the Enforce mode (Blacklisted applications and processes are blocked/killed/not allowed to spawn).

Scope and controls

See the following table for the scope at which the Blacklist rules can be defined and the controls for the rules. 

Scope
Controls

  • Directory - all the applications and processes in the directory

  • Path - the absolute path of the application or process

  • File Name - a specific application or process

  • MD5s - specific MD5s of the applications or processes

  • Command lines - specific command lines from the applications 

  • Exceptions - the directories and paths to which the rule is not applicable 

  • Status - make the rule Active or Pause the rule and run the rule in the Monitor mode or Enforce mode (with alerts).

  • Behavior - for policy violations, inherit the policy mode from the Policy settings of the policy or set the policy mode at the level of the rule.

  • Policy settings - in the Policy settings of a policy, make the Blacklist setting Active and set to Monitor or Enforce mode. Pause the rules when you don't want to use them.

Blacklist alerts

Alerts for Blacklist rule violations are reported in the Blacklist Alert category on the Alerts pages. Rule violations are detected when processes are run at the Blacklisted scopes set for the rules. Blacklist alerts can also be filtered by the specific reasons for the alerts (Alert Reason filter).

Before you begin

In an Xprotect policy (applies to both Host policy and User policy), Blacklist rules can co-exist with Whitelist, Rule Rings, and File Protect rules. For a policy containing multiple types of rules, the overall behavior of the policy depends on Xprotect's intelligent 'order of processing for multiple types of rules in a policy'.

For example, if you enforce a Blacklist rule at a scope that includes an enforced Whitelist rule at a lower scope, all the applications and processes in the Blacklist rule's scope are blocked/killed (including the previously Whitelisted application or process). 

Add Blacklist rules

When you enforce Blacklist rules, the applications and processes in the scope are blocked/killed. Enforcing Blacklist rules for top-level or lower-level scopes that are part of Whitelist rules supersedes the Whitelist rules. So, ensure that you consider the impact of the Blacklist rules before you make them Active and enforce them.

The following steps assume that you are adding Blacklist rules to an existing policy. Other cases to add Blacklist rules are when you create a standalone Blacklist policy or when you are creating a new policy and adding Blacklist rules.

  1. Go to Policies and go to Host Policies or User Policies.

  2. Click the 3-dot menu of a policy and click View and Edit Policy.

  3. Click Application Control.

  4. Click Add Rule Stack to add a new rule stack or go to an existing rule stack and click Add Rule.

  5. Select the scope of the Blacklist rule (Directory, Path, File Name, or MD5) and enter the details.

  6. Select Blacklist.

  7. (Optional) Enter One or more MD5s and/or command lines that must be blacklisted.

  8. (Optional) Select the Directory or the Path to the exceptions for this rule. The rules do not apply to the exceptions.

  9. (Optional) Click the 3-dot menu of the rule and set the controls for the rule.

  10. Click Save.

    When you save a rule, the policy is saved automatically with the new rule.

  11. Add more rules.

  12. When you are ready to push the policy, push it to the hosts from the Policies page. See Push policies to hosts for more details.

Multiple MD5s and command lines in a rule

  • Add multiple MD5s to Blacklist multiple MD5s of an application or Blacklist MD5s of multiple applications located in a directory. 

  • Add multiple command lines to Blacklist commands run from an application or multiple applications located in a directory.

Rule violations

With Blacklist rules enforced on a host, if Blacklisted applications and processes try to run, you will see a 'access denied', 'insufficient privileges' or an equivalent message on the host. :

Edit or move Blacklist rules

Blacklist rules can be edited or moved across stacks of the policy for better organization. When rules are edited or deleted, you must push the policy to the hosts. 

  • For a more focused view of rules, filter the rules by their attributes. Click the Filters icon, select the rule attributes and click Apply. Rule attributes include Rule Type, Status (Active and Paused), and Rule Behavior (Use Policy settings control, Monitor mode, and Enforce mode)

  • To push a policy after the rules are changed, click the Push Policy icon and push the policy to the hosts. 

  • To delete rules across the current policy and other policies in which the exact rule exists, click the 3-dot menu of the rule and click Delete Rule or Delete from Policies. When rules are deleted from multiple selected policies, click Immediately Push Policy Update to remove the rule for all relevant hosts

Disable Blacklist rules

Blacklist rules can be disabled selectively (at the rule level) or at the policy level.

  • To disable all Blacklist rules in a policy, go to Policy Settings, pause Blacklist, click Save, and push the policy to the hosts.

  • To disable Blacklist rules selectively, you must locate the rules in your policy and Pause them. Save the policy and push it to the hosts. 

    Click the 3-dot menu of the policy, click View and Edit Policy, go to the rule, and set the Status of the rule to Paused.

Next steps

  • Change AutoTrust settings - AutoTrust can help you regulate application and process behavior for applications and processes that are not yet part of the rules in the policy. AutoTrust settings are set by the level of risk associated with the applications and processes. See AutoTrust settings for policies for more details.

  • Push the policy - all the changes you make to the Blacklist rules and Policy settings require that you push the policy again to the hosts for the changes to take effect.

    Active policies that are edited and not yet pushed display an Orange exclamation in the Status column on the Policies page. See Push policies to hosts for more details.

  • Verify Blacklist changes - Audit logs are generated when you add or delete Blacklist rules. Go to the Audit Logs page and filter the page by the relevant Audit Actions. See Audit logs for more details.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.