I’ve recently started working with IBM Privilege Manager (from Thycotic), which enables organisations to remove local administrative rights from endpoints, or ‘implement Least Privilege and Application Control. Among other things you can specify the name of an executable file which you want blocked. (In fact you specify the file attributes in a ‘Filter’, then you specify a ‘Policy’ which defined what action should take place when there is a match with with the file specified in the Filter.)
It works on Windows and Mac OS/X. But when I tried blocking a particular file on OS/X I kept getting a message in the log which said ‘No policies apply’ followed by the name of the file in question. The answer? I eventually found that the policy definition includes an attribute called ‘Applies to all processes’. According to the help text it ‘Determines whether or not the policy applies to just interactive user processes or all processes including System based processes’. The file that I was trying to block was actually a consequence of a System based process, so when I set this attribute it happily blocked the file in question.