Creating and Modifying Registry Rules

You can use the Carbon Black App Control console to create, edit, or copy a registry rule.

In addition to providing a name, when creating a registry rule, you need to provide the information shown in bold in the left column of the table below and enter it in the Add Registry Rule page in the locations on the right:


General Description	Field on Add/Edit Registry Rule Page
If this/these source process(es)...	Process
...and/or this/these user(s)...	User or Group
... attempt to modify the Windows Registry at this/these location(s)...	Registry Path
... on computers in this/these policy(ies)...	Rule applies to/Policies:
... on computers reporting to this/these App Control server(s)...	Rule applies to/Servers (if Unified Management is enabled)
.. then this action should be taken.	Write Action

* Additional actions and other options are available in Expert Mode. For more details, see Expert Rules.

For each of these fields, there could be multiple matching items, or the rule could specify all items in that class (for example, the rule applies to all users, or all policies, or all source processes).

Create Registry Rules

You create a Resgistry rule to be able to block, report, allow, or prompt the user for a choice when there are attempts to write to the Windows Registry.

Prerequisites

Make sure you are familiar with the custom rule fields in the Add Registry Rule page. For a description of each of the fields, see Registry Rule Fields.
For information on setting a rank for a rule, see Rule Ranking.

Procedure

On the console menu, navigate to the Rules > Software Rules page.
Click the Registry tab.
To create a new rule, click the Add Registry Rule button.
The Add Registry Rule page appears.
In the Name field, enter the name you want to appear on the list of rules.
Optional. In the Description text box, add other comments about the rule, such as its purpose or its relationship to other rules.
Enter the remaining information you want for this rule and then click Save if you need to remain on the page, or Save & Exit to return to the Registry tab.
By default, a new registry rule is Disabled and ranked #1, listed at the top of the Registry Rules table.
Before you enable a rule, change its rank.
You can change the rank in either way:
- Use the arrows in the Rank column.
- Drag-and-drop (if the table is sorted by rank).
- Click on the rank number and enter a new rank in the dialog box.
When you are satisfied with the rank and want to enable the rule, click the toggle switch in the Status column of the Registry Rules table.
The button in the switch moves to the right and the background turns from white to green.

Edit a Registry Rule

Editing a Registry rule is very similar to creating one. If you have permission to edit the rule, you can edit any field, including the rule name.

Procedure

On the console menu, navigate to the Rules > Software Rules page.
Select the Registry tab.
Click the View Details icon for the rule you want to edit.
The Edit Registry Rule page appears.
Make your changes and click Save if you need to remain on the page, or Save & Exit to return to the Registry tab

Results

A confirmation message appears on the page. Click the message to clear it from the page. If an error occurs, review the error message and correct the conditions that caused the error before saving again.

Note: If you are using Unified Management, and you edit a unified rule shared with other servers, a wizard shows the progress as the edited rule is saved on each server.

For more details, see Unified Management of Rules.

Copy a Registry Rule

There is a Copy this rule command on the Edit Registry Rule page. This command makes copies of the rule on the same server. You might do this so that you can customize a sample rule while preserving the original settings as a template. It also allows you to make slightly different rules for different policies without having to manually provide all of the settings for each one.

Procedure

While on the Registry tab, click the View Details button to open the details page for the rule you want to copy.
On the Edit Registry Rule page, click Copy this rule... under the Actions menu on the right side of the page.
This opens a dialog box. By default, the copy is named using the original rule name plus (copy).
In the dialog box, change the rule name if you want something more descriptive.
If you want the new rule enabled immediately, click the Enable copied rule check box.
Click OK.
The copied rule is created and its details page replaces the details page for the original rule.
Make any changes in the new (copied) rule and Save, or Save & Exit.