Purpose: To look for execution of commonly available but rarely used Microsoft applications that may indicate suspicious behavior.

Description: Reports or prevents execution of Microsoft applications that are rarely used and can be used maliciously.

Enabled by Default: No
Platform: Windows
Minimum Agent Version Required: 8.0.0

The Edit Rapid Config page for the Suspicious Application Protection Rapid Config

Rapid Config Settings

As with most rapid configs, you can:

  • Enable or disable the rapid config.

  • Specify what policies the rapid config applies to.

In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

For each of the following sections, specify what action you require.

Suspicious Applications

Use this group to specify suspicious applications that should be blocked from running.

The suspicious application settings for the Suspicious Application Protection Rapid Config

*Report Or Block Execution Of Suspicious Applications:
Should execution of suspicious applications be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Suspicious Applications To Report:
Carbon Black App Control will report or block execution of the specified applications. You can add or remove items from this list. By default, the list includes:
  • Cbd.exe
  • Cmstp.exe
  • Csi.exe
  • Diskshadow.exe
  • Dnx.exe
  • Dxcap.exe
  • Extexport.exe
  • Forfiles.exe
  • Hh.exe
  • Ieexec.exe
  • Ie4uinit.exe
  • infdefaultinstall.exe
  • installutil.exe
  • Mftrace.exe
  • Msdeploy.exe
  • Msdt.exe
  • Msxsl.exe
  • Presentationhost.exe
  • Rcsi.exe
  • Regasm.exe
  • Regsvcs.exe
  • Runscripthelper.exe
  • Sqlps.exe
  • Sqltoolsps.exe
  • Te.exe
Command Lines That Should Not Be Reported:
Carbon Black App Control will report or block execution of the specified applications. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*agentjob*>sqlps.exe
*Report Or Block Execution Of Tracker.Exe:
Should execution of Tracker.exe be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Applications To Report:
Carbon Black App Control will report or block execution of the specified applications. You can add or remove items from this list. By default, the list includes:
  • Tracker.exe
Command Lines That Should Not Be Reported:
Execution of these command lines will not be reported or blocked.
Processes Allowed To Run Tracker.Exe:
Tracker will not be reported or blocked when run by these processes. By default, the list includes:
  • Msbuild.exe
*Report Or Block Execution Of VSJitDebugger.Exe:
Should execution of VSJitDebugger.exe be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Applications To Report:
Carbon Black App Control will report or block execution of the specified applications. You can add or remove items from this list. By default, the list includes: 
  • VSJitDebugger.exe
Command Lines That Should Not Be Reported:
Execution of these command lines will not be reported or blocked.
Processes Allowed To Run VSJitDebugger.Exe:
VSJitDebugger will not be reported or blocked when run by these processes. By default, the list includes:
  • Jenkins-Slave.exe