Intercepting and blocking Agentic AI products using HEIMDAL's Application Control

This support article outlines the three primary categories of Agentic AI tools and how you can effectively intercept or manage their network activity using Heimdal’s Application Control and AppFencing features. The objective is to secure your enterprise environment by intercepting, restricting, or completely blocking unauthorized Agentic and Desktop AI tools using Application Control rules, AppFencing, and DNS Filtering.

Agentic AI tools generally fall into three operational categories based on how they are installed and accessed:

• App-based Agents: These are standalone software applications installed directly on the endpoint (e.g., Anthropic Claude, OpenAI ChatGPT, Google’s Antigravity).

• CLI-based/Extension Agents: These tools operate as plugins or extensions within development environments (IDEs) like VS Code or PyCharm (e.g., AWS Amazon Q, Google Gemini CLI, OpenAI Codex CLI).

• Browser-based Agents: These services are accessed directly through a web browser (e.g., Meta AI, XAI Grok). Because they run within the browser environment, they lack a dedicated local process that can be blocked via standard Application Control.

HEIMDAL provides two primary methods to restrict the network access of these AI tools, depending on whether you want to block the entire application or just its ability to connect to external AI services. As Agentic AI applications and local AI execution frameworks rapidly integrate into corporate endpoints, managing their execution paths and network reach is crucial for preventing data leakage, intellectual property exposure, and unauthorized background integrations.

1. Blocking an AI tool via Application Control (process-based)
2. Blocking an AI tool via DNS Security

Blocking an AI tool via Application Control (process-based)

Using Heimdal Application Control, administrators have two main enforcement strategies to contain these risks:

• Full Process Blocking: Directly prevents the execution of targeted binaries on the endpoint.

• Network Isolation (AppFencing): Allows the application to execute locally on the endpoint but isolates or restricts its outbound internet access. This renders online-dependent AI functions useless while safeguarding localized offline execution.

When utilizing AppFencing in the Heimdal Dashboard, it is essential to understand how network rules interact:

• Rule Type Requirement: The Network/Internet feature within AppFencing applies strictly to Path type rules or environment variable rules.

• Selective IP Blocking: If you add specific IP addresses under the AppFencing configurations, those targeted IP addresses will be blocked while the rest of the application's network traffic remains untouched.

• Default Block All Traffic (Recommended): If you enable the Default block all traffic toggle, all network traffic will be blocked for every IP address on every port. This is highly recommended to combat dynamic, fast-evolving AI cloud infrastructures.

• Exclusion Mode: If you list specific IP addresses in the rule configuration and enable Default block all traffic, the listed IP addresses are treated as exclusions (or allowlists). All traffic is blocked except for those specified IP addresses.

Google’s Antigravity

• Software Name: Antigravity

• Target Processes: * C:\Users\Test\AppData\Local\Programs\Antigravity\Antigravity.exe

  • c:\Users\Test\AppData\Local\Programs\Antigravity\resources\app\extensions\antigravity\bin\language_server_windows_x64.exe

• Known IP Addresses: 13.107.253.44, 34.143.73.2, 20.189.173.2

• Configuration Steps:

  • Option A (Full Block): In the Application Control view, select each process, choose Block from the drop-down menu, and select Path as the rule type.

  • Option B (AppFencing Selective Block): Select the process, allowlist it, and use a Path rule type. In the Endpoint Settings (Application Control module), locate this allowed process, enable AppFencing, select Network/Internet access, and add the known IPs with the port set to * (all ports).

  • Option C (AppFencing Total Isolation): Enable the Default block all traffic option in the AppFencing window.

Anthropic Claude

• Publisher Name: Anthropic, PBC

• Software Name: Claude

• Target Processes: (Paths vary depending on user-specific or system-wide installers)

  • C:\Users\Test\AppData\Local\AnthropicClaude\app-1.569.0\claude.exe

  • C:\Program Files\WindowsApps\Claude_1.3883.0.0_x64__pzs8sxrjxfjjc\app\Claude.exe

• Known IP Addresses: 160.79.104.10, 142.251.152.119, 34.36.57.103

• Configuration Steps:

  • Option A (Full Block): Block each process individually in the Application Control View using the Block option with a Path rule type. Alternatively, you can use the Publisher name rule type to block the publisher Anthropic, PBC globally.

  • Option B (AppFencing Selective Block): Allowlist the Path rule type, enable AppFencing, go to Network/Internet access, and add the Claude IP addresses with the port set to *.

  • Option C (AppFencing Total Isolation): Select the allowed process path, enable AppFencing, and toggle Default block all traffic.

OpenAI ChatGPT

• Software Name: ChatGPT

• Target Process:

  • C:\Program Files\WindowsApps\OpenAI.ChatGPT-Desktop_1.2026.43.0_x64__2p2nqsd0c76g0\app\ChatGPT.exe

• Known IP Addresses: 104.18.32.47, 172.64.155.209, 216.239.32.36, 3.233.158.40

• Configuration Steps:

  • Option A (Full Block): In the Application Control View, select the ChatGPT desktop process, set the action to Block, and use Path as the rule type.

  • Option B (AppFencing Selective Block): Allowlist the process path, open AppFencing, choose Network/Internet access, and add the listed IPs on the port *.

  • Option C (AppFencing Total Isolation): Select the allowed process path, enable AppFencing, and toggle Default block all traffic.

Microsoft Copilot

• Publisher Name: Microsoft Corporation

• Software Name: Microsoft 365 Copilot App

• Target Processes:

  • C:\Program Files (x86)\Microsoft\Copilot\Application\mscopilot.exe (Main client process)

  • C:\Program Files (x86)\Microsoft\Copilot\Application\mscopilot_proxy.exe (Background proxy managing tasks within MS Outlook, Edge, and Windows OS)

• Known IP Addresses: Multiple/Dynamic

• Configuration Steps:

  • Option A (Full Block): In the Application Control View, select both processes and set them to Block using the Path rule type.

  • Option B (AppFencing Total Isolation): Set a path rule to allow the applications, enable AppFencing, and choose Default block all traffic.

  • ⚠️ Crucial Configuration Alert: Do not block Microsoft Copilot using the Publisher name rule type. Doing so will target the general Microsoft Corporation signature, which will inadvertently block vital operating system and Microsoft 365 processes. Additionally, due to the massive, dynamic list of Microsoft cloud IP addresses, using Default block all traffic is the only reliable way to restrict Copilot's network reach.

Anysphere Cursor (AI-Native Code Editor)

• Publisher Name: Anysphere, Inc.

• Software Name: Cursor

• Target Processes:

  • C:\Program Files\cursor\Cursor.exe

  • C:\Program Files\cursor\resources\app\bin\cursor-tunnel.exe

• Known IP Addresses: 104.18.19.125, 104.18.18.125, 51.104.15.252, 3.122.148.200, 35.71.162.24, 3.233.124.12, 72.2.76.8, 98.87.63.18, 13.248.241.7, 13.216.85.191, 52.0.74.168 (and others)

• Configuration Steps:

  • Option A (Full Block): Block each binary via Path rules or apply a global Publisher name rule targeting Anysphere, Inc.

  • Option B (AppFencing Total Isolation): Allowlist the path rules, enable AppFencing, and use the Default block all traffic toggle to handle Cursor's extensive IP list.

Manus AI

• Publisher Name: manus

• Software Name: Manus

• Target Process:

  • C:\Program Files\WindowsApps\ManusAI.Manus_1.5.3.0_x64__vajzd2mq3s8wj\Manus.exe

• Known IP Addresses: 18.97.36.74, 52.202.128.50, 146.75.122.132, 44.253.86.91, 185.102.217.65, 18.209.79.243 (constantly generating more)

• Configuration Steps:

  • Option A (Full Block): Create a Block action with the Path rule type or block globally using the Publisher name rule type.

  • Option B (AppFencing Total Isolation): Allow the process via Path rule, enable AppFencing, and use Default block all traffic to contain dynamic host connections.

LM Studio (Configuring Qwen/Local LLMs)

• Publisher Name: Element Labs Inc.

• Software Name: LM Studio

• Target Process:

  • C:\Users\Test\AppData\Local\Programs\LM Studio\LM Studio.exe

• Configuration Steps:

  • Full Block: Block via Path or Publisher name (Element Labs Inc.). Note that this completely stops LM Studio from launching and cuts off all communication with local or online AI, as the app serves as the core intermediary.

  • Secure Local Execution (Offline Mode): To allow developers to run local models on the endpoint securely without leaking corporate data to online AI services, allowlist LM Studio via Path, enable AppFencing, and turn on Default block all traffic. This keeps local inference operational while severing all cloud connectivity.

OpenClaw

• Publisher Name: OpenJS Foundation

• Software Name: Node.js JavaScript Runtime

• Target Process:

  • C:\Program Files\nodejs\node.exe (OpenClaw utilizes Node.js as its local hosting server)

• Configuration Steps:

  • ⚠️ Critical Precaution: Do not globally block node.exe if it is utilized by other critical, non-AI local corporate services.

  • Isolating Local Server Actions: If using OpenClaw with a local AI offline, allow the process via Path and toggle AppFencing's Default block all traffic.

  • Handling Localhost and Bot Integrations: Because OpenClaw needs localhost communications for dashboard rendering, you can leverage AppFencing Profiles to exclude/allowlist the loopback IP (127.0.0.1). Similarly, you can configure exclusions to allowlist external IP addresses for authorized target messaging applications (such as Slack or Discord bot IPs) while keeping general outbound web traffic completely blocked.

  • Note: If utilizing paid online AI through API endpoints, AppFencing's block will disrupt online AI access, resulting in connected components like Discord bots failing to respond, even if the primary Discord app remains functional.

AWS Amazon Q

• Target Process:

  • C:\Users\Test\AppData\Local\aws\toolkits\language-servers\AmazonQ\1.63.0\servers\node.exe (Note: This installs its own instance of node.exe inside the plugin folder of the IDE)

• Configuration Steps:

  • Full Block: Apply a Block action using the exact Path rule type.

  • AppFencing Isolation: Allow the process via Path, enable AppFencing, and select Default block all traffic to contain its multi-IP connections.

Google Gemini CLI

• Publisher Name: Google LLC

• Target Process:

  • C:\Users\Test\AppData\Local\cloud-code\cloudcode_cli\cloudcode_cli\7bf7e7c5\cloudcode_cli.exe

• Configuration Steps:

  • Full Block: Set the action to Block using the Path rule type.

  • AppFencing Isolation: Allow the path, activate AppFencing, and select Default block all traffic to mitigate outbound API connections.

OpenAI Codex CLI

• Publisher Name: OpenAI OpCo, LLC

• Software Name: codex-windows-sandbox

• Target Process:

  • c:\Users\Test\.vscode\extensions\openai.chatgpt-26.406.31014-win32-x64\bin\windows-x86_64\codex.exe

• Known IP Addresses: 104.18.32.47, 172.64.155.209

• Configuration Steps:

  • Full Block: Block via the exact binary Path rule type.

  • AppFencing Isolation: Allow the path rule, go to AppFencing > Network/Internet access, and add the known IPs, or toggle Default block all traffic.

Opera AI (Aria)

• Publisher Name: Opera Norway AS

• Software Name: Opera Internet Browser

• Target Process:

  • C:\Users\Test\AppData\Local\Programs\Opera\opera.exe

• Configuration Steps:

  • Since browser-integrated AI sub-modules cannot be targeted individually (unless disabled within internal browser flags), you must block or restrict the entire browser.

  • Full Block: Apply a Block action using the Path or Publisher name rule type.

  • AppFencing Isolation: Because browsers hook into countless endpoints, allow the browser path and set AppFencing to Default block all traffic to completely neutralize all browser operations.

Perplexity Comet

• Publisher Name: PERPLEXITY AI, INC.

• Software Name: Comet

• Target Process:

  • C:\Program Files\Perplexity\Comet\Application\comet.exe

• Configuration Steps:

  • Full Block: Target and block the executable via Path or Publisher name.

  • AppFencing Isolation: Allow the process and check Default block all traffic within AppFencing settings to disrupt all functionality.

GitHub Copilot Chat (VS Code / PyCharm Integration)

• Associated Host Processes:

  • VS Code: C:\Program Files\Microsoft VS Code\Code.exe

  • PyCharm: C:\Program Files\JetBrains\PyCharm 2026.1\bin\pycharm64.exe

• Operational Challenge: * Blocking Copilot's individual IP addresses does not guarantee complete restriction and will break the critical developer capabilities of VS Code, GitHub repository syncing, and related services.

  • The only direct Application Control enforcement action is to block all network traffic to the entire IDE process (Code.exe or pycharm64.exe), which is generally unacceptable for development environments.

• Recommended Administrative Action: * Handle this integration outside of Application Control. Leverage Group Policy Objects (GPO) or administrative settings directly within VS Code and PyCharm to block the installation of the Copilot plugin/extension.

Unofficial, untested, or incompatible extensions

• Devin AI (Cognition Labs): Devin operates primarily as a paid web-based platform. Unofficial CLI versions exist but cannot be systematically profiled under standardized application binaries.

• Salesforce AgentForce Vibes: This CLI plugin for VS Code cannot be systematically targeted using local Application Control profiles, as it does not initialize standard, captureable independent processes during environment testing. As a specialized development tool, it must be managed through developer policy controls if installed on corporate devices.

Troubleshooting & Admin Tips

• Varying Paths: Be aware that these AI agents' paths can change depending on the installation scope. A single-user installer places binaries under %localappdata% (e.g., C:\Users\...\AppData\Local), whereas a system-wide installer or Windows Store app places binaries in C:\Program Files or C:\Program Files\WindowsApps.

• Unsigned Apps: Certain AI utilities lack Publisher signatures, version headers, or static Software Names. In these circumstances, write rules strictly using explicit Path conditions rather than Publisher-based rules.

• Updating Rules: Subscriptions and silent updates from AI providers will occasionally modify executable names, path structures, and network requirements. Security teams should check the Block logs in the Heimdal Dashboard regularly to identify and add new execution patterns to existing rule groups.

Blocking an AI tool via DNS Security

For Agentic or Chat AI services that do not run any local processes on the endpoint and function entirely inside the browser, Heimdal Application Control cannot intercept them.

Meta AI

• Target Services:

  • Meta AI (meta.ai)

  • XAI Grok (grok.com)

• Action: You must block access to these web-only systems globally at the network level by utilizing HEIMDAL's DNS Security. Add the meta.ai domain to your DNS blocklist.

XAI Grok

• Target Service:

  • XAI Grok (grok.com)

• Action: You must block access to these web-only systems globally at the network level by utilizing HEIMDAL's DNS Security. Add the grok.com domain to your DNS blocklist.