Custom rules have a “Rank” number and are evaluated from lowest number to highest number, beginning with the rule ranked 1. By default, rules appear in their rank order, but you can re-sort the table by other columns. Also, if you filter a table, there are gaps in the rank of rules because not all rules are shown.
If a file matches one rule that blocks an action and another rule that allows it, the highest ranking rule (that is, the one with the lowest number), takes precedence and the lower-ranked (higher number) rule has no effect. You can change the ranking of rules if you decide that you want one of your rules to be considered before its current position.
Rule ranking is significant only for rules that Block, Allow, or Prompt the user to block or allow. The highest ranking block, allow, or prompt rule that matches an attempted file action not only takes precedence but stops processing of any lower-ranked rules matching the action.
A rule whose action is Approve, Approve as Installer, Track, Report, Promote, or Ignore does not stop processing of lower-ranked rules. For example, if a write attempt first matches an Ignore rule and also matches another rule with a lower rank (higher number) on the list, the second rule is also processed.
Although not custom rules, Internal rules for fundamental actions in Carbon Black App Control, such as blocking banned files, are included in the Custom rules table. For suggestions about how and when you might change the order of other rules relative to internal rules, see Rule Ranking and Internal Rules.
The options for changing the rank of rules depend on how table rows are sorted and whether the table is filtered.
- If a rule table is sorted by rank and not filtered, you can use arrow buttons and drag-and-drop methods to change the rank of rules. The arrow buttons appear only in tables that meet these conditions.
- For any table, regardless of how it is sorted or filtered, you can click on its rank number and specify a new rank in a dialog box.
Change the Rank of a Rule
You can change the rank of a rule in an unfiltered table sorted by rank.
Procedure
- On the rules page, if the rules are not currently sorted by rank, click on the Rank column head to sort them.
- If you have applied a filter or a saved view filtering to the table, either click Reset in the Filters panel or select (none) in the Saved View field to return the table to an unfiltered view.
- To change the rank of a Custom rule, perform either of the following actions.
- In any table that displays the rank column, you can click on the rank number and enter a new rank number in the dialog box.
- If the table is sorted by rank and not filtered, arrows appear next to the rank. Click the up or down arrow button next the to rule to change its rank.
- If the table is sorted by rank and not filtered, you can hold down the left mouse button with the cursor over the rule and drag the rule to a new location.
Note: When using drag-and-drop, your target location must be visible in the current view (including rows you can scroll to but not rows that have not been loaded). If you need to move a rule to a ranking not currently shown, you can use the Click to Show More bar at the bottom of the rules table to add rows to the current view. You also can use the dialog box described in the next procedure.
Change the Rank of a Rule in Any Table
You can change the rank of a Custom rule in any table.
Procedure
Results
Rule Ranking and Internal Rules
The Custom rules table includes Internal rules related to features presented in other parts of the Carbon Black App Control console.
These built-in rules are approximately equivalent to the settings you see when you view the Device Control Settings tab and the Advanced tab on the Edit Policy page.
For example, Block banned file hashes is listed as an Internal rule on the Custom rules page and as a setting in the Advanced settings section of the Edit Policy page.
You cannot enable, disable, modify or move Internal rules in the Custom Rules table – they do not have delete or edit or buttons or ranking arrows. The order of Internal rules cannot be changed relative to each other. However, you can change the rank of any Internal rule relative to other, non-internal Custom Rules to better control how and when different rules are enforced. You do this by moving the other rule (not the Internal rule).
The following are key situations in which you might want to change the order of Internal rules relative to other rules.
- By default, if a file has been banned but you create a Custom rule that allows the file to execute, that rule appears higher in rank than the internal rule that blocks executions of banned hashes. Because of this, the Custom Rule takes precedence over a hash ban on that file. However, if you move the Custom Rule that allows the banned file to execute to a rank below the Internal rule Block banned file hashes, the file is not allowed to execute. Unless you want to bypass file bans, moving the “allow” rule is recommended.
- By default, if you create a Custom rule that allows a file to be written, it appears higher in rank than internal rules that block writing, and so the allow rule takes precedence. For example, if you create a new rule that allows writes to a device, it appears before the internal rule that blocks writes to a device. However, if you move the rule that allows device writes to a position after the Block writes to unapproved removable devices rule, the block rule takes precedence and a file on an unapproved device is blocked from writing, even if it matches an Allow or Prompt rule below.
You can make file hash bans to override custom rules that allow execution. First, make sure the rules are sorted by rank by clicking the Rank column, then find the rule that allows execution of the banned file and use the arrows to move the allow rule after the Block banned file hashes rule and before the Terminate processes with banned images rule so that it is shut down before running.