Restriction Rules

A
restriction rule
limits the surface of an attack on a Windows endpoint by defining where and how your users can run executable files. The following table displays the different types of restrictions you can configure:
Restriction Rules
Description
Running executable files from certain folders
Many attack scenarios are based on writing malicious executable files to certain folders and then running them. For example the local temp and download folders are commonly used to store and later run malicious executable files. To make an exception to this general restriction, you can add specific folders to a whitelist. For more information, see Manage Global Whitelists, Block Execution from Local and Network Folders, and Whitelist a Network Folder.
Running executable files from external media
Malicious code can gain access to endpoints via external media such as removable drives and optical drives. To protect against this, you can define restrictions that control the executable files, if any, that users can launch from external drives attached to the endpoints in your network. For more information, see Define External Media Restrictions.
Processes spawning child processes
Child Process Restriction rules have been deprecated and are superseded by the Child Process Protection malware protection module (MPM). To block malicious child processes run from parent processes, Configure Child Process Protection.
Java processes run from browsers
Java Restriction rules have been deprecated.

Recommended For You