Blocking the execution of files on a host in accordance with defined application policy rules.Synonyms: Executable Blacklisting .
How it works
A policy-enforcing application can register an application for denylisting based on conditions including the following:
- File attributes
- file name
- file path
- file hash
- file publisher, as obtained from the digital signature
- permissions of the file
- File malware scan (eg. Windows SmartScreen)
- User-File combination
This may be done to prevent execution of applications which are:
- an old version with known vulnerabilities
- without a valid license, which could cause legal issues
- in a directory that is accessible to low-privileged users, that could be accessed by a malware dropper
- known trojan horse programs
- too open in their permissions, possibly set to run as a user other than the originator or allowing execution when they should not be
- a match to the hash of other known malware
- are detected as undesirable based on a file scan runtime behavior
System administrators will customize the rules for the given environment.
The policy-enforcing program may work by running in kernel mode, and [intercepting] [system calls which execute a process].
- If denylisting is done by filename, filepath, or hash, these mechanisms may be a worthy first line of defense and detection, but could still be evaded by an attacker.
- Continuous management is needed to keep the denylist up to date, whether it is based on hash, publisher, behavior, or any other digital artifact.
- Although denylists based on attributes such as file path and virus scan could defend against some threats which they have not been explicitly coded to block, denylists may not provide protection from new, unknown, or zero day attacks.
On a Windows machine the Windows Defender Application Control (WDAC) policy enforcement is run in the kernel and allows for restricting applications.
The following references were used to develop the Executable Denylisting knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)