Introducing ThreatDown Application Block: How to block unauthorized software from executing on Windows endpoints

Malwarebytes is excited to announce Application Block, a new module for Nebula and OneView for MSPs which helps organizations easily thwart unwanted applications from launching on Windows endpoints.

For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).

Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.)

Application threats also don’t just stop at hoodie-wearing hackers: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.

All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. We released Application Block for Nebula to make it easy for under-resourced orgs to meet this important security requirement.

Let’s dive in to see how it works!


  • Log and monitor blocked application activity on endpoints.
  • Block device access to specified software applications, though this does not include cloud applications.
  • Block list rules are created and applied to policies across the console or sites.
  • Dashboard and reporting for blocked applications.

For a technical overview of Application Block for Nebula, click here

For a technical overview of Application Block for OneView, click here

Enable Blocking

When setting or modifying a policy in the Nebula console, go to the Software management tab at the bottom.

There you’ll find the Application block option for Windows. Let’s go ahead and check it and then save this policy.

Block Rule Creation/Management

Heading over to the Monitor tab, we’ll find Application block near the bottom of the drop-down menu. Let’s click into that.

We’re taken to an activity log dashboard of blocked applications. Find the Rules tab near the top and click “New”.

Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only. Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.

For example, we can create a rule that blocks VPNs and torrent applications from being downloaded on a group of endpoints.

Let’s save this rule and head back over to our activity log!

Application Block Activity Log

The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.

View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!

For auditing or external reporting purposes, you can even download DNS activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.

Blocked Applications dashboard widget showing activity over the last 30 days

We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into endpoints and detections in our environment.

Plugging the holes in your Windows endpoint security

Application Block is just the latest addition to our ever-expanding collection of security modules for Nebula, which include Vulnerability and Patch Management and DNS Filtering.

From within Nebula—our user-friendly console that you already use for endpoint protection and remediation—you can activate Application Block and immediately start blocking at-risk Windows applications. 

Have a burning question or want to learn more about Application Block? Get a quote below.