How to prevent standard users from running executables (e.g. portable apps)?

Hi all,

I think the subject says it all, but here again:
How to prevent standard users from running executables (e.g. portable apps)?

I know in Win 7, we can do that with applocker/group policy, but is it possible with ITSM, possible by “block” in auto-containment?

Thanks in advance.

This is possible @com1blaster but can be potentially tedious to set up to cover all the bases.

Using the following wiki guide on ‘How to White List files based on File group’, instead of ‘whitelisting’ (or allowing), you will set it to ‘blacklist’ (disallow or run in containment) the defined file group. It will be up to you on how ‘restrictive’ the file group you will be setting up.

Thanks @Rick_C that’s what I expected.

One aspect I realize missing in defining rule is the capability to exclude a parameter. For example, instead of listing all locations for blocking (which can be tedious), I can achieve that by blocking all excluding a few locations such as system files and program files (which is faster). Hope you can consider this feature for future implementation.

That is already possible @com1blaster. Comodo’s security is mainly on ‘Default Deny’. Check the Containment section, in the Rules subsection, of a Profile.

  • Remove (or turn off as a precautionary step) all but one of the ‘All Applications’ entries.
  • Set the ‘All Applications’ entry to Reputation: Any, Behavior: Block (and definitely turn it on). [That covers ‘block all’]
  • Add the ‘custom file groups’ that you want to be excluded.
  • Do a lot of testing until you get it right.


  • Any changes you make in any of the ‘custom file group’ will NOT propagate automatically to the profiles that includes it. You will need to ‘re-deploy’ the Profile. Re-deploy here entails making a simple change on the Profile and saving it. Then undoing the previous change and saving it again.
  • As a friendly reminder, any excluded ‘folders/path’ becomes a potential malware entry point as, understandably, they are excluded in the selected CCS security section.

exactly the same situation I am also having with the ITSM, and I also followed the given guide but didn’t get any luck to do so…

But I am still hope there something will help both of us to block standers users from running apps.

Q - Is this still the case now?
I have the custom group, but we also have the newish “global whitelist”, I seem to add entries to that and they still get blocked/contained. Do I need to also change the profiles that it’s included to allow it to kick in? Or setup a global profile so only need to adjust one section when adding to the list.