The Block Exe From %AppData% is a very powerful anti-malware protection measure but when applied improperly, this policy can prove to be disruptive to an environment.  This paper describes the different implementation options, their advantages and disadvantages, and various deployment options.


The two primary options available on this monitor are 'Include %LocalAppData%' and 'Block All Executable Types'.


Include %LocalAppData%


As this option implies, selecting this option will include the remote user's %LocalAppData% directory in the block function as well as the default %AppData% directory.  This option is highly recommended.


Block All Executable Types


The default behavior of this policy only blocks .exe files from running.  Enabling this option extends the blocked filetypes from one to thirty (list below).  Enabling this option also changes the rules of the assigned exceptions.


Exceptions


When 'Block All Executable Types' is not checked, Third Wall blocks *.exe from running from the target folder(s).  Microsoft does not allow wildcards to be used in both the block and the exception.  This means all exceptions are required to include the full path and name of the file to be blocked (e.g. %appdata%\Zoom\ZoomDownload\Installer.exe).


When 'Block All Executable Types' is checked, Third Wall blocks %AppData%.  Because this block does not use a wildcard, wildcards are allowed in the exceptions.  This provides more exception options.


Wildcard Examples


One of the first things you'll notice when 'Block All Executable Types' is enabled is that none of the target computers will be able to use shortcuts anymore.  This is because .lnk files are included in the block.  To fix this, use the Client Screen to add a manual exception of *.lnk.


ConnectWise Control users will quickly realize a critical component of Control is SC.exe.  This file will reside in a completely randomly generated folder so we are unable to make an exception for it unless 'Block All Executable Types' is selected.  When it is, a manual exception of SC.exe may be applied.  This will cause the SC.exe to be permitted to execute, no matter its assigned folder.


This screenshot shows both of these exceptions assigned to a Client.  The examples are on the bottom of the screen:


Summary


Choosing to not 'Block All Executable Types' will result in far fewer files being blocked and thus you'll have less chance of blocking a legitimate application.  However, this option also requires that all assigned exceptions must be explicit, the full path and file must be specified.  If an application changes the folder structure on update, the exception will be broken and the application blocked.


Use of the 'Block All Executable Types' blocks much more than just executable files so the likelihood of blocking a desired file is much higher.  However, this option allows the use of a much more flexible exception system so once a desired file is detected, it is much easier to grant the user access to that file, regardless of potential directory changes.


As 'Block All Executable Types' provides better protection and allows more flexible exception delivery, this option is strongly recommended when using this policy.

 

List of Filetypes Blocked


The following filetypes will be blocked from %AppData% when the 'Block All Executable Types' is selected.  These types have been selected by Microsoft and are unalterable:


.ADE

.ADP

.BAS

.BAT

.CHM

.CMD

.COM

.CPL

.CRT

.EXE

.HLP

.HTA

.INF

.INS

.ISP

.LNK

.MDB

.MDE

.MSC

.MSI

.MSP

.MST

.OCX

.PCD

.PIF

.REG

.SCR

.SHS

.URL

.VB

.WSC