- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Limitations
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Blocklist
editBlocklist
editThe blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that Elastic Defend considers malicious. This helps ensure that known malicious processes aren’t accidentally executed by end users.
The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to Optimize Elastic Defend.
Requirements
- In addition to configuring specific entries on the Blocklist page, you must also ensure that the blocklist is enabled on the Elastic Defend integration policy in the Malware protection settings. This setting is enabled by default.
- You must have the appropriate user role to use this feature.
By default, a blocklist entry is recognized globally across all hosts running Elastic Defend. You can also assign a blocklist entry to specific Elastic Defend integration policies, which blocks the process only on hosts assigned to that policy.
- Find Blocklist in the navigation menu or use the global search field.
- Click Add blocklist entry. The Add blocklist flyout appears.
-
Fill in these fields in the Details section:
-
Name
: Enter a name to identify the application in the blocklist. -
Description
: Enter a description to provide more information on the blocklist entry (optional).
-
-
In the Conditions section, enter the following information about the application you want to block:
-
Select operating system
: Select the appropriate operating system from the drop-down. -
Field
: Select a field to identify the application being blocked:-
Hash
: The MD5, SHA-1, or SHA-256 hash value of the application’s executable. -
Path
: The full file path of the application’s executable. -
Signature
: (Windows only) The name of the application’s digital signer.To find the signer’s name for an application, go to Discover and query the process name of the application’s executable (for example,
process.name : "mctray.exe"
for a McAfee security binary). Then, search the results for theprocess.code_signature.subject_name
field, which contains the signer’s name (for example,McAfee, Inc.
).
-
-
Operator
: For hash and path conditions, the operator isis one of
and can’t be modified. For signature conditions, chooseis one of
to enter multiple values oris
for one value. -
Value
: Enter the hash value, file path, or signer name. To enter multiple values (such as a list of known malicious hash values), you can enter each value individually or paste a comma-delimited list, then press Return.Hash values must be valid to add them to the blocklist.
-
-
Select an option in the Assignment section to assign the blocklist entry to a specific integration policy:
-
Global
: Assign the blocklist entry to all Elastic Defend integration policies. -
Per Policy
: Assign the blocklist entry to one or more specific Elastic Defend integration policies. Select each policy where you want the blocklist entry to apply.You can also select the
Per Policy
option without immediately assigning a policy to the blocklist entry. For example, you could do this to create and review your blocklist configurations before putting them into action with a policy.
-
- Click Add blocklist. The new entry is added to the Blocklist page.
-
When you’re done adding entries to the blocklist, ensure that the blocklist is enabled for the Elastic Defend integration policies that you just assigned:
- Go to the Policies page, then click on an integration policy.
- On the Policy settings tab, ensure that the Malware protections and Blocklist toggles are switched on. Both settings are enabled by default.
View and manage the blocklist
editThe Blocklist page displays all the blocklist entries that have been added to the Elastic Security app. To refine the list, use the search bar to search by name, description, or field value.
Edit a blocklist entry
editYou can individually modify each blocklist entry. You can also change the policies that a blocklist entry is assigned to.
To edit a blocklist entry:
- Click the actions menu () for the blocklist entry you want to edit, then select Edit blocklist.
- Modify details as needed.
- Click Save.
Delete a blocklist entry
editYou can delete a blocklist entry, which removes it entirely from all Elastic Defend policies. This allows end users to access the application that was previously blocked.
To delete a blocklist entry:
- Click the actions menu () for the blocklist entry you want to delete, then select Delete blocklist.
- On the dialog that opens, verify that you are removing the correct blocklist entry, then click Delete. A confirmation message displays.
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now