You can create or edit a blocking and isolation rule to deny or terminate processes and applications.


  1. On the left navigation pane, click Enforce > Policies.
  2. Select a policy.
  3. Click the Prevention tab and expand Blocking and Isolation.
  4. Click Add application path, or click the Edit icon next to an existing rule to edit it.
    When adding a path, use wildcards to specify files or directories. For an explanation of how wildcards work in policy paths, see Prevention Policy Settings. You can add multiple paths. Each path must start on a new line. Do not separate paths with commas. You can delete a rule by clicking the Trash can icon . You cannot delete built-in rules such as Known malware or Suspected malware.
  5. Select the Deny operation or Terminate process attributes.
    Figure 1. Blocking and Isolation Attribute Options
    The blocking and isolation attribute options displaying the deny operation checkbox and the terminate process checkbox
    Note: If you set the action to Terminate process, you cannot concurrently deny the operation.
  6. Test a new rule's settings before applying it in your environment. Click Test rule for any setting. The system checks to see how the rule would have affected your organization over the last 30 days. You can use this data to confirm or modify your settings.
  7. To apply the changes, click Confirm and then click Save.