Custom rules define actions you want the agent to take in response to file, directory, or process activity that matches conditions you specify. They may be used to optimize performance, protect file integrity, create a trusted file path for software distribution, or meet other special needs
Custom rules can be used to take actions such as:
- Blocking or allowing file modifications and executions.
- Controlling which files get tracked.
- Determining whether or not tracked files are approved.
- Reporting events when specified activity is seen.
- Creating exceptions to other types of rules, such as approvals or bans.
For description of the standard methods for approving and banning files, see Approving and Banning Software.
Rule Types
Carbon Black App Control provides several partially configured custom rule types for the following specific purposes:
- File Integrity Control – Prevents or reports changes to specified folders or files.
- Trusted Path – Defines folders or files for which file execution is always allowed.
- Execution Control – Creates a rule to control behavior when an attempt is made to execute a file matching the rule.
- File Creation Control – Creates a rule to control behavior when an attempt is made to write a file matching the rule.
- Performance Optimization – Specifies folders or files for which file creation, modification, and deletion are ignored (execution will still be monitored).
Two additional rule types allow more detailed configuration of a rule:
- Advanced – Provides a menu-based user interface in which you choose all fields yourself. The menu choices are standard actions (such as Write) that might actually involve combinations of actions or permissions internally.
- Expert – Provides a checkbox-based interface in which you can select one or more of the internal actions underlying the other rules types. These rules are described in Expert Rules
Custom rules can be used to enable network login scripts or software deployment systems, or to designate an area for software developers to run executables without the Carbon Black App Control Server tracking file activity or enforcing rules. You also can use a custom rule to prevent users from uninstalling an application by blocking any changes to that application’s directory.
Rule Scope
You can create custom rules that apply on all computers on a platform (e.g., all Windows computers) under all conditions. If you have Unified Management enabled, you can even have a rule apply to agents on more than one Carbon Black App Control server. On the other hand, you can focus the scope of a rule by specifying one or more of the following criteria (not all of these options are available for all rule types):
Criteris | Description |
---|---|
Process-specific | You can choose to make a rule effective only when certain processes attempt to write or execute files in the specified location. |
User- or group-specific – | You can make the rule apply only to a specific user or group of users. |
Policy-specific – | You can choose to limit a rule to computers in specified policies. |
Server-specific – | If you have Unified Management enabled, you can choose to limit a rule to computers reporting to specified servers in the management group. For more information, see Unified Management of Rules. |
Rule ranking – | Custom rules are evaluated in order of Rank, a column that is displayed by default on the Custom Rules table. The rule ranked ‘1’ has the highest rank, ‘2’ is next, and so on. If a rule blocks, allows, or prompts the user to make block or allow, that rule stops processing of other rules, so rank is important in these cases. You can change the order of rules, for example, putting a rule applying to one specific file in a folder higher on the list, while putting another rule for all the files in the same folder lower – because the first rule is higher, it takes precedence. |
Conditional Macros – | You can use certain macros to restrict the conditions under which specific parameters in rules are applied. Only agents meeting the “test” described in the macro will attempt to match the parameter prefixed with the macro. Most of these macros are OnlyIf macros with different arguments, such as <OnlyIf:OSVersionIs:10.6.8> and <OnlyIf:HostName:*SMITH-1*> . |
All user-created custom rules are platform-specific; they apply to only one of the platforms – Windows, Mac, or Linux – that Carbon Black App Control Agents can be installed on.
File and Process Matching
To determine whether a file or process attempting an action matches a custom rule, a string comparison is done between the file or process name and the specifications in the rule. Hash values are not used for custom rule processing.
You can include wildcards and special macros in a path or process specification to broaden the rule scope or allow the rule to match files or processes in locations that vary from one agent computer to another. For more details, see Specifying Paths and Processes.
Pre-configured Rules
A new installation of the Carbon Black App Control Server is pre-configured with several custom rules found to improve performance and/or prevent unnecessary tracking. These rules are enabled by default. You can remove or disable them if you choose. For upgrades from previous releases, these rules are added below (i.e., with a lower rank than) rules that already existed.
The table of rules also includes rules labeled [Sample], which are disabled by default. In general, these are application-specific rules that allow files needed for certain common applications or suites to be executed or written. You can enable these, with or without modifications of your own.
Internal Rules in the Custom Rule Table
The Custom rules table includes rules labeled as internal. These are the rules you enable in other parts of the console, mostly in the Device and Advanced settings on the Edit Policy page. For example, Block banned file hashes, which is on the Advanced settings table for a policy, is listed as an Internal rule on the Custom rules page.
An internal rule shows its status as Enabled in the rules table if it is enabled in any policy. You cannot enable, disable, modify or move Internal rules in the Custom rules table, but you can move other, non-internal Custom rules, relative to the Internal rules to better control how and when different rules are enforced. For more details, see Rule Ranking and Internal Rules.
Internal Custom rules apply to all platforms.
Specifying the Notifier for a Custom Rule
Carbon Black App Control provides notifiers that can be displayed when a rule blocks an action or prompts the user for a decision to allow or block an action. For each custom rule, you can choose from two sources for the notifier:
- Use Policy Specific Notifier – Each policy includes an Advanced setting, Enable custom (file and path) rules, which is always on. This setting has a Notifier field in which you can choose the notifier that appears on agent computers when custom rules block an action.
If you select Use Policy Specific Notifier for a rule, it is possible that the policy specifies <none> as the notifier for Enforce custom (file and path) rules. In this case, a notifier is not shown, even for a Prompt rule. Unless you are certain that you never want to prompt the user for a response to a rule, choosing <none> for the custom rule notifier in a policy is not recommended. For more information, see Advanced Settings .
- Custom Notifier – If you do not choose the policy-specific notifier, you can choose (or create) a notifier specifically for a custom rule. The choices appear on a menu on the Add/Edit Custom Rule page.
When you select Block as the rule action, you can choose <none> on the Custom Write Notifier menu since it is possible you want the rule to block actions without notification. A Prompt rule requires a user choice, so when you choose Prompt as the rule action, the Custom Notifier menu does not include <none>.
For the custom rule notifier settings, see Custom Rule Fields. For more information on notifiers, see Endpoint Notifiers and Approval Requests.
Custom Rules in Visibility Mode
In Visibility mode policies, the effect of custom rules depends on the type of rule:
- Custom rules that would block a file have no effect in Visibility mode, but they still generate Carbon Black App Control events.
- Custom rules configured to prompt the user for a response in do not interrupt the action, but a "would have prompted" event is generated.
- Custom rules that approve a file do change the file state, but in Visibility mode this has no effect on file execution.
- Custom rules that specify “Ignore” on the Write menu (see below) are effective in Visibility mode.