The Files tab of the Software Rules page shows all of the approvals and bans created forindividual files. These rules identify specific files by hash or optionally by file name (for bans only).
Approvals and bans can be global or they can be applied to computers in selected policies. Active Bans block file executions for affected computers in Control mode, report an event for computers in Visibility mode, and do nothing for computers in Agent Disabled mode. You also can create a Ban that only reports what it would have done if active.
Because the Files tab shows both Approvals and Bans, you can manage all file rules in one place. You can check to see whether a particular file has any approval or ban affecting it, and you can remove rules from one or more checked files.
By default, file rules are grouped by their type, so you see all of the Approvals together, Bans together, and Report Only bans together. You can change or eliminate the grouping on the Group by menu.
You can create approvals and bans directly on the Software Rules page Files tab if you want to enter the file hash or name manually in a property page. The easier way to create bans, however, is from a table or File Details page that already has the file hash. In either case, when you create the approval or ban, it displays on this page.
When you create a new ban or approval, it might affect a file that already has an approval or ban. If you attempt to do this, a warning appears, informing you that if you save the new rule it will delete the old rule. T
In some cases, creating a ban not only prevents future executions of a file, but stops any currently running processes that match that file. See Enabling Bans to Stop Running Processes.
You can delete files on endpoints using console commands. See Deleting Files.
Approvals and bans that appear on the File Rules page are created in the following ways:
- From the Software Rules Files tab, open the Add File Rule page and enter the hash for a single file; for bans, you also can use the file name or a specific path.
- From a File Details or File Instance Details page, select one of the approval or ban commands on the Actions menu to create a rule for a single file.
- In a table of files (for example, the File Catalog), select one or more files and then select one of the approval or ban commands on the Action menu.
- In the Events table, select one or more events that have a file reference in the description and select one of the approval or ban commands on the Action menu.
- From the Software Rules Files tab, import a list of file hashes to create multiple rules.
- From the Software Rules Directories tab, create a Trusted Directory. Each file located in a trusted directory has an approval rule created for it.
- You can create an approval or ban through an external API. The
Sourcefield on the Files tab or Edit File Rule page shows how a rule was created.
After you create a rule, you can manage it from the File Rules page, and in most cases you can delete it using commands on the page where you created it.
Banning the wrong file can have unintended and potentially harmful consequences. For example, inadvertently banning a legitimate system file can cause computers to immediately crash. Before you ban a file, make sure that you enter the correct name or hash. As a precaution, first search the file name or hash with the Find Files feature to verify that it is the file you want to ban, and review the File Details page. For further assurance, consider using Carbon Black File Reputation to learn more about the file before banning it. For more information, see Activating Carbon Black File Reputation in System Configuration
One way to test the impact of a ban without actually blocking files is to create a Report Only ban.
Testing a ban through Report Only is especially advisable if you have enabled termination of running procesess when bans are created. See Enabling Bans to Stop Running Processes.
