This section describes the fields available on the Add Registry Rule and Edit Registry Rule pages.

Column headings on the rule table page are shown when they differ from the Add/Edit page.

Table 1. Registry Rule Fields

Field

Description

Name

Name by which this rule is identified in the Registry Rules table. (Required)

Description

Optional information about the registry rule. This can be any text you choose to enter.

Rank

(Table only)

The rank of this rule in order of evaluation. The rule ranked ‘1’ in the table is evaluated before the rule ranked ‘2’, and so on.

Status

Radio buttons that make this rule Enabled or Disabled. This allows you to create a rule that you use only at certain times, or to temporarily disable the rule without losing the information used to create it.

Expert Mode

Radio buttons that make turn Expert Mode on and off (the default). Expert mode provides more options than standard mode but does not have all of the error-checking that other rule types have, so it is possible to create unexpected (and unwanted) outcomes without being warned during rule creation. These rules are intended for use by Carbon Black Support or Services representatives, or customers working with them. For more details, see Expert Rules.

Platform

Platform for which this rule is effective. This is a read-only field and the value is always Windows. Registry rules do not have any impact on non-Windows platforms.

Write Action (Add/Edit page only)

The action to take when there is a write attempt matching this rule. For the action option, see Specifying a Write Action. For all Windows platforms except Windows Server 2003 64-bit, write rules also control changes to registry permissions.

Action

(Rule table only)

The type of action the rule takes. The possible values include all of those shown for Write Action plus other actions made available in Advanced and Expert rules.

Operation (Rule table only)

 

 

The type of operation the Write Action rule affects. Standard Write Rules for the registry affect the following operations: Create Key, Rename Key, Delete Key, Change value, Delete value, Set Security, and Open Key with Write Access.

Rules created or edited in Expert Mode might not include all of these operations and also might include other operations.

Action (Legacy)

(Rule table only)

This column shows actions and operations for the rule as shown in the Action column in pre-8.1.6 versions, or it shows “Expert Action(s)” in cases where expert rule information was not previously shown.

This field is present strictly for continuity with older versions – you should use the separate Action and Operation columns for the most accurate description of the rule.

Use Policy Specific Notifier

If you choose Block or Prompt as the Write Action, this checkbox appears to the right of the Write Action choice. If you check the box, the notifier that appears when a registry rule blocks an action is the notifier specified for the Enable Registry Rules setting in the policy for the computer on which the action was blocked. If not checked, you can choose a custom notifier from the Custom Write Notifier menu.

Custom Write Notifier

If you choose Block or Prompt as the write action, and you do not check the Use Policy Specific Notifier box, this menu appears.

If you choose Block as the write action, you can choose any notifier from the menu. The menu also includes a <none> option so that you can disable the notifier for this rule.

If you choose Prompt as the write action, you can choose any notifier on the menu. Prompt rules must display a notifier, so there is no <none> choice in this case.

If you use Unified Management to create a rule that applies to more than one server, client servers will use default notifiers, even if a custom notifier is specified on the management server.

Registry Path

( Path in table)

Registry path to which this rule applies. See Specifying Registry Paths for details on your options for specifying the path.

Source Process

( Process in table)

This field allows you to limit the rule so that it is applied only when certain processes attempt to execute or write files matching the path specification. For details on specifying a process and process menu options, see Specifying Processes in Registry Rules.

User or Group

This field allows you to specify users or groups to which this rule applies. For details on specifying users or groups, see Specifying Users or Groups.

Rule Applies To: Servers

(Add/Edit page only)

Radio buttons allow you to apply the rule to the current server, All Servers or Selected Servers. If you choose Selected Servers, a list that includes the current server and of all Carbon Black App Control servers managed by this server appears, each with a checkbox. In addition, policies for the servers you include appear in the Selected policies list.

This field appears only if Unified Management is configured on the server you are logged into.

Unified Server Source(Table only)

If this is a unified rule, the name of the Unified Management server that created or copied the rule.

Rule Applies To: Policies

( Policy in the table)

Radio buttons allow you to apply the rule to All policies or Selected policies. If you choose Selected policies, a list of all policies available on your Carbon Black App Control Server appears, each with a checkbox. You can check as many policies as you choose.

If Unified Management is configured on the server you are logged into, and if you have chosen to apply the rule to additional servers, policies for all selected servers appear in this list.

Is Global

(Table only)

Indicates whether the rule applies to all policies ( Yes) or only selected policies ( No).

Rule Applies To: Override Permissions

(Add/Edit page only)

Radio buttons allow you to specify whether administrators on other servers can modify rules sent with Unified Management on their own server. The options are No Override, Partial Override (allows changing rank) and Full Override (allows editing and changing rank).

This field appears only if Unified Management is configured on the server you are logged into and this rule is applied to more than the current server in the Rule Applies To:Servers field.

History

 

For existing rules, a History panel on the Edit Rule page appears showing some or all of the following fields. In addition, these fields can be added as columns on the rules table page.

  • Created By – If the rule was created on this server, the user who created it. Rules created during server installation or upgrades show “System” in this field.
  • Date Created – If the rule was created on this server, when it was created.
  • Last Modified By – If the rule has been modified since creation or import, the user who modified it.
  • Date Modified --If the rule has been modified since creation or import, when it was modified.
  • CL Version – Rules created after server installation also show the CL (config list) number that first contained the rule so that you can compare an agent CL number to determine whether the agent has received the rule.
  • Imported – (In the table only) indicates whether the rule was imported (Yes/No).
  • Imported By – If the rule was imported to this server, the user who imported it.
  • Imported Date – If the rule was imported to this server, when it was imported.