Prevent File Execution with Application Control

Application Control is an optional feature on Windows machines that allows you to block the execution of specifically marked malicious files on any endpoint on which Application Control is enabled. When remediating MalOps, you have the option to prevent associated malicious files from running on the machines on which they were found using Application Control.

Application Control is supported on specific Windows operating systems (see Endpoint machine prevention features for a list).

How Application Control works

When you enable Application Control and you mark an item for prevention, Application Control prevents executables or modules (.exe and .dll files) from executing, based on their MD5 or SHA-1/SHA-256 file hash.

Specifically, the Cybereason platform performs the following actions:

  • All machines on which the item already exists immediately prevent the item from executing.

  • The Cybereason platform sends the hashes for the marked item to all the endpoints in the organization on which Application Control is enabled.


    Application Control is not supported on endpoints with Cluster Shared Volume (CSV).

  • The Cybereason platform adds every hash marked for prevention to the blocklist.

  • The Cybereason platform generates an Endpoint Protection MalOp of type App Control when the hash is prevented in the future.


Be careful not to mark critical applications such as cmd.exe, explorer.exe, and PowerShell for prevention. If you do choose to prevent critical applications, note that legitimate processes may be prevented as well.

Enable Application Control

You enable Application Control through Sensor Policies or by using installation parameters.


Installation parameter settings override policy settings for that sensor.

Enable in a sensor policy (recommended):

In a sensor policy, in the App Control screen, enable Application Control.

Set App Control

Enable in installation parameters:

When you install a sensor, you can enable or disable Application Control with the AP_APP_CTRL command line parameter as follows:




Enable Application Control


Disable Application Control. (Default)

Mark files for prevention

Analysts can mark executables or modules for prevention using one or more of the following methods:


How to prevent

Malops management screen

  1. On the left of the Malops management screen, above the MalOp results, click Respond.

  2. Select ‘Malop is malicious - Remediate’.

  3. Select ‘Prevent execution’ and click Respond.

Malop details screen

  1. In the top right of the Malop details screen, click Respond.

  2. Select the Prevention checkbox and click Apply.

Investigation screen

  1. In the Element details screen, click Prevention.

  2. Click Prevent.

Reputation screen

Add a new reputation using the Add option or update the CSV file containing reputation information.

To stop prevention later, use the Investigation screen to locate the item you prevented. From the item’s Element Details pane, click the Prevention button and select Stop preventing.

View prevention details

You can run queries or filter to find specific items on which Application Prevention was applied.

In the details for the prevented items, the items that you want to prevent have a Marked for prevention designation. The next time a file that has that hash tries to execute, the Cybereason platform will prevent the file from executing.

Also, you can see how many items that are related to this file hash have already attempted to execute and were blocked. This appears under the label Prevented successfully.

Information about the items that were prevented from execution is available in the following Cybereason UI screens:

  • Reputation screen

  • Investigation screen

In addition, you can use the Export to CSV action from the System > Sensors screen to download a CSV file that lists the endpoints in your organization. When you download the list of sensors in your organization, view the status of Application Control on the machines.