How To Block EXE Files In Group Policy (& Other Methods!)

In today’s digital landscape, safeguarding your organization’s network from unauthorized applications is paramount. One effective strategy is blocking executable (.exe) files using application blocking software or an Active Directory Group Policy. 

This tutorial will provide step-by-step guides that will teach you how to block executable files in Windows using various methods. Implementing one of these measures will reduce the risk of unauthorized software installations and usage, further protecting your network as part of a broader cyber risk mitigation strategy.

What Is An Executable File?

An executable file, also referred to as an executable program or simply an executable, is a type of computer file that contains instructions that your computer can directly understand and carry out. 

In simpler terms, think of an executable file as a recipe with clear instructions. Your computer (the chef) can follow these instructions (the code) to perform a specific task (cook a meal).

Here are some key points about executable files:

• They are often identified by specific file extensions, such as “.exe” on Windows systems or “.app” on macOS. However, the extension can vary depending on the operating system.
• Executable files are essential for running programs on your computer. When you double-click on an icon to open a program, you are essentially running the program’s executable file.
• While executable files are necessary, it’s important to be cautious. Some malware can disguise itself as an executable file. It’s recommended to only run executables from trusted sources.

Examples of Windows Executable File Types

On Windows, several file extensions denote executable files. 

Common file extensions for executable files are:

• .exe (Executable): This is the most common extension for executable programs on Windows. When you double-click a file with this extension, Windows tries to load and run the program.
• .bat (Batch File): Batch files are script files that contain a series of commands for the Windows command line interface (CMD). While technically not programs themselves, they can execute multiple commands in sequence, making them a type of executable script.
• .cmd (Command Script): Similar to .bat files, .cmd files are also executable scripts that can be run from the command prompt. There’s very little practical difference between .bat and .cmd extensions.
• .scr (Screensaver): This extension identifies screensaver files that can be executed to activate a screensaver on your computer.
• .msi (Microsoft Installer): These files are used to install applications on Windows. For complex software deployments, especially in enterprise environments, .msi is preferred due to its control and reliability. If you see a program offered in both formats, the .msi is usually the better choice.

How Is An Executable File Different From A Data File?

The key difference between an executable file and a data file lies in what they tell the computer to do:

• Executable File: Contains a set of instructions, like a recipe, that the computer’s processor can directly understand and execute (carry out) to perform a specific task. These instructions are typically written in a language the computer understands, often called machine code or assembly language.
• Data File: Stores information or data that needs to be interpreted by a program before it can be used. This data can be anything from text documents and images to music and spreadsheets. Data files themselves don’t provide instructions on what to do with the information they contain.

Some additional points:

• File Extensions: Executable files often have specific extensions that signal to the operating system they contain instructions. Common examples include .exe (Windows), .app (macOS), or .sh (Linux scripts). However, data files have many extensions depending on the data type (e.g., .txt for text, .jpg for images).
• Opening Files: Executable files can be directly run by the operating system, while data files require a specific program to open and interpret them. For instance, you can’t directly “run” a text file; you need a word processing program to open and read it.

Why Block EXE Files?

Block EXE Files to Improve Cybersecurity

Unauthorized EXE files are often blocked for security reasons. While EXEs are the most common way for programs to run on Windows, a downloaded executable file may contain harmful software known as malware (malicious software) designed to compromise computer systems for data exfiltration, ransomware, and other cyber attacks.

Preventing the downloading and/or executing of EXE files and other executables helps prevent end-users from accidentally running harmful programs that could steal information, damage computer systems, or spread to other devices. 

However, blocking all EXE files would prevent the installation of legitimate software. So, security teams use a combination of approaches to prevent unauthorized software installation while allowing for legitimate software to be deployed.

• Principle of least privilege: In business environments, it is best practice to enforce the principle of least privilege, where users are typically given the minimum permissions required to perform their tasks to prevent them from installing software programs. T
• Blocking EXE downloads for end-users: Security measures can be further enhanced by outright preventing the downloading of certain files to ensure that only authorized IT personnel install new software.
• Scanning files: Security software can be configured to analyze .exe files before they are run. This analysis might involve checking the file’s origin, reputation, signatures, and code for any red flags that might indicate malware. 

Improve Privacy by Preventing EXE Files From Connecting to the Internet

Some PC gamers may want to block their games from being able to connect to the internet. Blocking an app or a game can help you protect your privacy, eliminate unwanted advertising, or prevent children from playing online games.

Most apps and games you install in Windows have, by default, unrestricted access to the internet. However, you can control their internet access through the Windows Firewall. With it, you can block access to the internet for specific apps and games, on all types of network connections, or specific types of network connections. 

Blocking specific EXE files from connecting to the internet can be important for several reasons:

1. Privacy: Some applications may send data about your computer or internet usage to external servers without your knowledge. Blocking these connections helps protect your personal information.
2. Security: Preventing certain EXE files from accessing the internet can reduce the risk of malware or unauthorized software communicating with malicious servers.
3. Control Over Updates: Some programs automatically update themselves, which can sometimes cause issues or unwanted changes. Blocking internet access can prevent these automatic updates.
4. Preventing Ads and Unwanted Content: Some applications display ads or other unwanted content that can be blocked by cutting off their internet access.

Which EXE Files to Block

• Unauthorized cloud storage apps: With a web filter you can block access to cloud storage sites and block their associated EXE files, such as:
  • Google Drive: googledrivesync.exe
  • Dropbox: Dropbox.exe
  • OneDrive: OneDrive.exe
  • iCloud Drive: iCloudDrive.exe
  • Box: Box.exe
  • MEGA: MEGAsync.exe
  • pCloud: pCloud.exe
• Built-in Windows games apps: Proactively blocking games mitigates one of many temptations to get distracted from work
  • Microsoft Solitaire Collection: Solitaire.exe
  • Microsoft Minesweeper: Minesweeper.exe
  • Microsoft Mahjong: Mahjong.exe
  • Microsoft Sudoku: Sudoku.exe
  • Microsoft Jigsaw: Jigsaw.exe
• Apps with access to sensitive data/systems: To further enforce the principle of least privilege, you can proactively prevent specific users from launching apps that they do no have an explicit business need to access, such as CRM systems.

As part of your application control strategy, you should also have methods for monitoring application usage. This ensures you have visibility into any unblocked applications that you may want to add to your block list.

How to Find the Original Name of Specified Windows Applications

Many application blocking methods in this tutorial require the “original filename” of the EXE you would like to block.

The original filename for Windows apps refers to the internal name assigned during the application’s creation, not necessarily the one you see on your computer. Here’s a breakdown of why it’s important:

• Embedded Information: This name is stored within the executable file itself, often in a format called the Portable Executable (PE) header. Think of it like a hidden label.
• Renaming Doesn’t Change It: Even if you rename the application file on your disk, the original filename remains embedded within the program.
• Security Purposes: This embedded name can be helpful for security. For instance, malware might disguise itself as a legitimate program (like renaming itself to “calc.exe”). However, the original filename would still reveal its true identity. This can help security software identify and block suspicious programs.
• Application Identification: The application can also use the original filename to determine if it’s been renamed. This can be useful for certain functionalities within the program.

1. Manually Locate The Original Filename Of An Application

1. Right-click on the .exe file in Windows Explorer and select Properties.
2. Select the Details tab; you will find the Original Filename in the “Value” column next to the “Original filename” property
   
   The figure below gives an example of locating the Original Filename of Notepad. Not all Original File names have the .exe suffix extension. e.g. FreeCell has no extension so just enter “FreeCell”.

2. Find the Original Filename in BrowseReporter’s Software Usage Dashboard

BrowseReporter’s software utilization reports and dashboards give you insights into both desktop apps and SaaS tools.

• Track SaaS and software usage on Windows computers to detect the use of unsafe or unproductive programs.
• Use the Windows software usage reports to improve software usage tracking in the workplace and better manage software licenses
• Use the drilldown dashboard to find out the utilization rate of specific pieces of software

With BrowseReporter’s software usage reports, you can easily get the Original Filenames of previously used applications. This allows you to identify unwanted software usage and block the apps using BrowseControl.

BrowseReporter and BrowseControl operate from the same central web console, allowing you to manage all your devices from the convenience of a web browser.

How to Find Original Filenames Using BrowseReporter

1. Open BrowseReporter
2. Go to the applications activity dashboard
3. Scroll down to the Activity Log
4. Click on the Column Menu iconand check “Application process (.exe)” to display the Original Filename of all previously used apps

Methods for Blocking EXE Files

Block EXEs From Launching With BrowseControl Application Blacklisting Software

With BrowseControl’s application blocker, you can prevent .exe files from running on your computers. The blocker can also block Windows applications such as cloud storage services, games, etc.

Get Your Free Trial

To start, download the free trial, install the client on your users’ computers, select the user/PC groups you want to restrict, then add the unwanted program files to BrowseControl’s App Blocker.

1. CurrentWare.exe: CurrentWare server & console setup file—to be installed on a local computer, server, cloud virtual machine, etc

2. cwClientSetup.exe: CurrentWare client setup file—to be installed on the employee or student’s computer

The BrowseControl Windows application and website blocker are compatible with various Windows operating systems, including Windows Server, Windows 7, 8/8.1, 10, and 11.

Learn More: BrowseControl System Requirements

Add the Apps You Want to Block to the App Blocker

1. Open BrowseControl from the left-hand menu.
2. Click a folder of users or computers from the Groups list that you want to restrict
3. Click on the App Blocker option.
4. Enter the Original Filename of the certain apps to be blocked in the Application textbox. An optional description can also be entered.
5. Click the ADD button to add the Application to the list of apps that can be blocked
6. Select the applications you want to block from the Applications List on the left pane and move them to the right pane by clicking the Arrow button. They will now be blocked for the computers and users under the specific Group
7. Add an optional Warning Message that will be displayed in a popup when the user tries to launch the blocked app
8. Click “Apply to Clients” to block apps in the Blocked Application List for the selected group of computers or users

Block File Downloads/Uploads

With web filtering and download blocking software such as BrowseControl you can prevent the uploading and downloading of files, including executables such as .exe, archive file formats such as .zip, and any other file extension.

To further prevent the launching of unwanted applications, you can restrict USB device usage with a USB blocker such as AccessPatrol to prevent your end-users from launching executables from unauthorized portable storage devices.

Benefits of Blocking File Downloads

• Data Loss Prevention (DLP): Prevent employees from downloading confidential files and copying them to rogue USB devices.
• Cybersecurity: Protect your endpoints and network by preventing the downloading of malicious software
• Legal Liability: Prevent employees from using company resources to pirate copyrighted software
• Bandwidth Efficiency: Prevent the downloading of large files such as videos and music that cause a significant strain on bandwidth
• User Productivity: Prevent your users from downloading distracting video games and movies

Case Study
Shady Maple Takes Back Control
Over Employee Technology Use

Shady Maple found CurrentWare during a significant period of growth in their company. As their number of employees grew, Shady Maple knew that they needed an employee productivity solution that was scalable.

Their old ways of managing employee internet abuse—manually checking each employee’s computer individually and hoping that they didn’t clear out their web history—would no longer be sustainable.

Read our case study to learn how employee internet use monitoring and web filtering software transformed Shady Maple’s employee productivity management strategy.

Read the Case Study

How To Block a Program From Accessing the Internet With Windows Firewall

Note: The built-in firewall is named Windows Defender Firewall in Windows 10, and Windows Firewall in the older versions of Windows

Windows 10/11 Tutorial

1. Identify the file that you need to block in the Windows Defender Firewall (See: How to find the Original Filename); you will need the source path of the EXE as well for this method
2. Open Windows Defender Firewall With Advanced Security by typing  “wf.msc” in the search box and clicking the result with the same name.
3. In the Windows Defender Firewall with Advanced Security window, click Outbound Rules in the navigation panel on the left. Then, click or tap New Rule in the Actions panel on the right.
4. The New Outbound Rule Wizard guides you through the steps needed to create the outbound rule. First, choose the Rule Type. Select Program. Click or tap Next.
5. Press Browse and, in the Open window, go to the location of the executable file that you want to block, select it, and press Open. Then, click Next.
6. Select “Block the connection” and press Next.
7. On the Profile screen, you can define when the rule will be applied. To ensure internet access is blocked at all times, select all network locations and press Next.
8. Name your new rule, then press Finish

Important Notes:

• This process restricts the program from initiating outbound connections to the internet. It won’t necessarily prevent the program from functioning entirely, but it will limit its ability to communicate online.
• Windows Firewall might already have some default rules for common programs. To avoid conflicts, double-check existing rules before creating a new one.
• Blocking system programs can cause unintended consequences. Only block programs you’re confident you don’t need internet access for.
• For a more scalable option, you can configure Windows Firewall settings with a GPO. This allows you to implement the policy domain-wide rather than updating each PC manually. 

Windows 7 Tutorial

Blocking programs from internet access in Windows 7 with Windows Firewall differs slightly from the newer versions. Here’s how to do it:

1. Open Windows Firewall:
   • Click the Start menu and search for “firewall.”
   • Select “Windows Firewall” from the search results.
2. Choose Advanced Security (Optional):
   • For a more detailed view, click “Advanced settings” on the left side.
   • You can proceed with the following steps even without using advanced security.
3. Manage Outbound Rules:
   • In the left pane, select “Outbound Rules.”
4. Create a New Rule:
   • In the right pane, click on “New Rule…”
5. Select Rule Type:
   • Choose “Program” from the “Rule Type” options and click “Next.”
6. Specify Program Path:
   • Select “This program path” and click “Browse.”
   • Locate the executable file (“.exe”) of the program you want to block. (e.g. C:\Program Files\ProgramName\program.exe)
   • Click “Next” after selecting the correct path.
7. Block the Connection:
   • Choose “Block the connection” and click “Next.”
8. Define Connection Profiles:
   • Select the network profiles where you want this rule to apply (Domain, Private, Public) – typically all three for comprehensive blocking.
   • Click “Next.”
9. Name the Rule (Optional):
   • Provide a descriptive name for the rule (e.g., “Block ProgramName Internet Access”).
   • Click “Finish” to create the rule.

Conclusion

There is a toolbox of methods at your disposal to address unwanted executable files. Whether you are a business that needs application blocking software for a centralized approach, an SMB that is content with using Group Policies for domain-wide control, or a small shop using built-in Windows features like AppLocker, there’s a solution to fit your needs. 

By understanding these methods and applying them strategically, you can create a safer and more secure environment.