Global Block List / Global Blacklist to easily block a trusted application

nct · July 22, 2024, 10:37am

Please could I request this be added to the roadmap for a future platform update?

Thanks

nct · July 22, 2024, 10:38am

@Umut @ilgaz, let me know what you think.

Liviu · July 22, 2024, 12:51pm

To be ISO 27001 compliant, this has to happen.
We need a way to easily block applications.

ilgaz · July 23, 2024, 10:12am

hi @nct , could you please provide how exactly you would like to see this on UI? Even some screenshots would be great. I am asking this in order to have full understanding and alignment with you so that we can deliver exactly what you want.

Thanks in advance.

nct · July 23, 2024, 12:37pm

Hi @ilgaz

In the same locations your templates have the global whitelist, add another rule by default for the blocklist.

ilgaz · July 23, 2024, 12:49pm

Thank you very much, clearly understood. Just to confirm, something like below:

and then respective block rules predefined in AV, firewall, HIPS, Containment sections.

Can you confirm?

nct · July 23, 2024, 4:40pm

@ilgaz , that’s right, although, I don’t think there is currently a way to add a block rule to AV?

ilgaz · July 23, 2024, 6:06pm

AV already blocks (and quarantines) anything that is marked as malicious. However, via adding a Containment Block (and Quarantine if selected) rule, you can easily setup such rule and use a file group variable of your choice in it.

nct · July 23, 2024, 6:18pm

Of course, I forgot about the ‘quarantine program’ option.

BeeHiveCyberSecurity · July 23, 2024, 6:26pm

I have a +1 for this request - I want to be able to block, certificates, as a means for blocking a publisher. We have a specific tool that we want to keep blocked but they rebuild it frequently to evade, labeling, changing the hash values and etc, which removes any hash-specific rules or exceptions. Any way we can just, “block” an entire signer/certificate? Anything signed with that, cert?

ilgaz · July 23, 2024, 7:06pm

hi @BeeHiveCyberSecurity, does installation folder change as well? If not, you can block everything that is under a specific folder as well.

BeeHiveCyberSecurity · July 23, 2024, 7:07pm

Some of these tools are not designed to generate, installation folders or are not installables, just run-ables, per say.

Persistence or presence of a file path or hash cannot be relied on.

Also would this not…be susceptible to the whole “folder switcheroo” trick?

Liviu · July 24, 2024, 11:04am

I was thinking that there should be a dedicated way to block an app inside the profiles, where you would just add applications you don’t want running on company computers.eg: 7zip, notepad++, firefox, etc