Blocking file execution based on nameand\or BIOC\IOC

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking file execution based on nameand\or BIOC\IOC

L2 Linker

Hi all, I was wondering - can i block execution of files based on bioc\ioc and or file name? 

As in, not just raise an alert(which i already have) but also actively block the file execution


Hi @Daniel_Itenberg 


If you are simply looking to block file execution based on file criteria (E.g Hash), then you could utilize the Global Block List within the Action Center.  If you are looking for more granularity on the your block list use-case, then you are add a file or folder directly to a Restriction Profile and add the profile to a policy and assign the updated policy to your targeted endpoints. You will need to ensure the targeted endpoints are online and connected with the XDR console in order to receive the policy update.


FYI... Configure a Custom Prevention Rule Insight , there are additional criteria that has to be met in order for the user-define rule to be applied as a custom prevention rule. If you want more context on what EDR data is collected from your testing efforts, then you can navigate to the Endpoint Administration, and right-click on "Endpoint Name" from your connected test endpoint, and select "Open in Quick Launcher", then select "Search all events on <endpoint name>". This will open an XQL query, and you utilize the magnifying glass icon to search for your desired event details. This workflow will provide you with additional context on the associated field that may be used for additional query related use-cases. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!