About Blocking Methods

Endpoint Application Control can block applications before or after execution. To specify the blocking method, configure the policy settings.

See Configuring Blocking Methods.

Blocking methods affect application execution differently and have different benefits. Use the following tables to decide which blocking method is appropriate for your use cases:

Table 1. Blocking Methods

Blocking Method

Action

Description

Kernel-level blocking

This method is sometimes also known as driver-level blocking.

Block applications before execution

Kernel-level blocking prevents applications from starting by blocking file access. This provides greater security, but may unexpectedly block or momentarily delay access to certain files needed by allowed applications.

See About Kernel-Level Blocking.

User-level blocking

Block applications after execution

User-level blocking allows applications to start and then stops them at the task level. This may be unable to stop certain applications after they start and is less feature-rich than kernel-level blocking. User-level blocking is unable to block link libraries (DLLs) and is unable to support the Trusted Source feature.

See About User-Level Blocking.

Table 2. Blocking Method Benefits

Benefit

Kernel-Level Blocking

User-Level Blocking

Prevents applications from starting before being evaluated

Yes

 

Blocks already-running applications

 

Yes

Compatible with all rule types

Yes

Yes

Blocks Windows Store applications

Yes

Yes

Blocks DLLs

Yes

 

Allows Trusted Sources

Yes

 

Preferred for timing-critical deployments, such as servers, trading systems, and manufacturing systems

 

Yes