About Kernel-Level Blocking

To block applications before execution, apply kernel-level blocking.

Kernel-level blocking prevents applications from starting by blocking file access. This provides greater security, but may unexpectedly block or momentarily delay access to certain files needed by allowed applications. This feature is only supported on policies set to first match “User and Group” criteria (excluding the “SYSTEM” account).

After Endpoint Application Control blocks or delays an application start using the kernel-level method, related notifications for the event may be displayed to the end-user.

  1. Windows may display the following notification to end-users:

    Figure 1. Windows Block Notification

    Endpoint Application Control is unable to hide this notification. If endpoint users may be confused by notifications and related requests for interaction, you can avoid this notification by applying user-level blocking instead. Consider the known limitations of user-level blocking before making this change.

  2. Endpoint Application Control may display the following notification to end-users:

    Figure 2. Endpoint Application Control Block Notification Example

    To hide this notification, go to the Add or Edit Policy screen, expand User experience, and then clear the Display notification popups check box.

    See Add or Edit Policy Screen and Policy User Experience.