Endpoint Application Control can block applications before or after execution. To specify the blocking method, configure the policy settings.
See Configuring Blocking Methods.
Blocking methods affect application execution differently and have different benefits. Use the following tables to decide which blocking method is appropriate for your use cases:
Blocking Method |
Action |
Description |
---|---|---|
Kernel-level blocking This method is sometimes also known as driver-level blocking. |
Block applications before execution |
Kernel-level blocking prevents applications from starting by blocking file access. This provides greater security, but may unexpectedly block or momentarily delay access to certain files needed by allowed applications. This feature is only supported on policies set to first match “User and Group” criteria (excluding the “SYSTEM” account). |
User-level blocking |
Block applications after execution |
User-level blocking allows applications to start and then stops them at the task level. This may be unable to stop certain applications after they start and does not support the Trusted Source feature and blocking of link libraries (DLLs) and Java interpreter applications. |
Benefit |
Kernel-Level Blocking |
User-Level Blocking |
---|---|---|
Prevents applications from starting before being evaluated |
Yes |
|
Blocks already-running applications |
Yes |
|
Compatible with all rule types |
Yes |
Yes |
Blocks Windows Store applications |
Yes |
Yes |
Blocks DLLs |
Yes |
|
Allows Trusted Sources |
Yes |
|
Preferred for timing-critical deployments, such as servers, trading systems, and manufacturing systems |
Yes |