Block Application Policy Group
1 min
in this policy group, the policy should be set to block there is no second step for selecting subprocess behavior, as the main process is already blocked once commands or applications are added to this policy group, they will be restricted accordingly when a policy is applied, the enforcement is not limited strictly to the command string entered by the user instead, the policy engine validates both the command itself and its associated image path to illustrate this with an example if you define a policy for the mkdir command 1 command execution if the user simply runs mkdir, the policy is triggered 2 absolute path execution if the user runs the command using its full binary location, such as /usr/bin/mkdir, the policy is also triggered this ensures that a user cannot bypass security restrictions or approval workflows by simply calling the absolute path of a binary instead of the alias or short command the agent resolves the executable's path to ensure that regardless of how the command is invoked, the managerial approval or elevation rules are consistently enforced key technical points · path canonicalization the system identifies the underlying binary (the image path) to prevent evasion · consistency this approach ensures that whether the command is in the system's $path or called directly from a specific directory, the policy remains active · security it prevents "shadowing" or bypassing policies through different invocation methods