Malwarebytes continues to add value to its ThreatDown Bundles with the inclusion of Application Block as free for all ThreatDown Nebula accounts (excluding Mobile only accounts). Users don’t need to activate this new feature: the policy has been enabled in their account by default.
For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).
Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.)
Application threats also don’t just stop at cybercriminal gangs: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.
All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. Malwarebytes is adding Application Block for free in all ThreatDown Bundles to make it easier for under-resourced orgs to meet this important security requirement.
Let’s dive in to see how it works!
Features
- Log and monitor blocked application activity on endpoints.
- Block device access to specified software applications, though this does not include cloud applications.
- Block list rules are created and applied to policies across the console or sites.
- Dashboard and reporting for blocked applications.
For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block
Enable Blocking
When setting or modifying a policy in the Nebula console, go to the Software management tab at the bottom.
There you’ll find the Application block option for Windows. Let’s go ahead and check it and then save this policy.
Block Rule Creation/Management
Heading over to the Monitor tab, we’ll find Application Block near the bottom of the drop-down menu. Let’s click into that.
We’re taken to an activity log dashboard of blocked applications. Find the Rules tab near the top and click “New rule”.
Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only.
Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.
Let’s save this rule and head back over to our activity log!
Application Block Activity Log
The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.
View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!
For auditing or external reporting purposes, you can even download Application Block activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.
Blocked Applications dashboard widget showing activity over the last 30 days
We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into what applications were blocked and their frequency.
Plugging the holes in your Windows endpoint security
Together with free Vulnerability Assessment, which effectively identifies and prioritizes critical security vulnerabilities, Application Block enhances overall security protection by preventing unauthorized software usage, offering a comprehensive security solution at no additional cost in all ThreatDown Bundles.
