Devices
Block an executable
Audit or block applications and executables directly on endpoints
Block an executable
Threatmatic can audit or block any application or executable running on enrolled endpoints — without requiring a separate endpoint detection tool. Blocking is policy-driven and takes effect in milliseconds.
Modes
| Mode | Behavior |
|---|---|
| Audit | Log the executable's activity without blocking it. Useful for baselining before enforcement. |
| Block | Prevent the executable from running or communicating on the network. |
| Allow | Explicitly permit an executable, overriding broader deny rules. |
Steps
Identify the executable
You can target an executable by:
- Application label — a named label you have created (recommended)
- SHA-256 hash — exact file match
- Publisher — all executables signed by a specific certificate
To view discovered executables, go to Devices → Applications.
Create a policy rule
- Go to Policies → New Policy
- Set the Type to
Application Control - Set the Scope to the device, tag, or group you want to target
- Add a rule:
- Match: select your executable (by label, hash, or publisher)
- Action: choose
Audit,Block, orAllow
- Click Save and Apply
Always run in Audit mode first when targeting a new executable. Review the activity logs before switching to Block to avoid unintended disruption.
Verify enforcement
- Go to Devices → Applications
- Find the targeted executable
- Confirm its status shows Blocked or Audited
On the endpoint, blocked executables will fail to launch with a system-level denial. The event is logged in Devices → Activity.
Handle exceptions
To allow the executable on specific devices while blocking it elsewhere:
- Create an
Allowrule scoped to the exception device or tag - Ensure the
Allowrule has a higher priority than theBlockrule
Next steps
How is this guide?
Last updated on