The Carbon Black App Control Server can ban files or processes reported as part of a malware notification by external network security devices.

This can be done in several ways:

  • Manual file bans of files reported in external notifications
  • Registry Rules that ban certain processes that attempt access to registry keys, as reported in external notifications
  • Custom Rules that ban activity in a directory reported in external notifications
  • Event Rules that automatically ban files (or create report-only bans) when certain file-related events occur, in this case, due to external notifications

Registry, Custom, and Event rules can also be configured to report the actions they describe rather than banning them.

Note: Bans of MSI files should not rely on hashes reported by a third-party source. In addition, they should not use MD5 or SHA-1 hashes from any source. See Approvals and Bans of MSI Files by Hash for details.