The Protected Whitelisting strategy is similar to the 5.2.x Limited Execution Prevention policy. However, in the 5.2.x Limited Execution Prevention policy, the whitelisting was applicable only to interactive programs, while in the 6.0 Windows Prevention policy, whitelisting applies to the entire system. This strategy provides protection for the operating system, and prohibits the launching of applications, except those that are explicitly listed in the policy configuration.
By default, the policy configuration, which is the Application Rules page for a whitelisting policy, is empty. You are allowed to select an application and its sandbox, and add it to the policy.
For the operating system to function properly, the whitelisting policy takes advantage of the new publisher feature to route default Windows programs. After routing the operating system programs to their specific sandboxes, the policy contains a default rule that routes any Microsoft Signed program running out of the %systemroot% directory or subdirectories to the Default Windows Programs and Services sandbox.
As a result of this rule, if you run programs such as cmd.exe or Notepad.exe that reside under the %systemroot% directory, these programs are allowed to run, and will be confined by the Default Windows Programs and Services sandbox.
To block these programs from running, you could follow any one of the following steps:
Edit the Sandbox Execution option in the Default Windows Programs and Services sandbox, and add the program to the Programs the Default Windows Services may not run list
Create an application on the Application Rules page for the program, and select the Deny sandbox option.
Imported Document ID: HOWTO95352
Subscribing will provide email updates when this Article is updated. Login is required.