When you create or edit a ban, the File Rule details dialog box shows a warning in red, indicating that the rule could stop currently running files. This displays as a reminder even if you have not enabled process termination in any policy.
In addition, when you add or edit a file ban and click Save in the File Rule details dialog box, a confirmation dialog can provide a further warning. The warning displays if a name ban contains wildcards in the name. It also appears for both name and hash bans if the file specified in the rule has a Carbon Black File Reputation threat level of either “0 – Clean” or “Unknown” and a if ban specifies any of the following:
- A file signed by Microsoft (including key system files)
- A file signed by another trusted publisher
- A file with Carbon Black File Reputation trust levels above 7
- A file that appears on more than 10% of reporting agent computers
In each of these conditions, terminating the file or files in the ban can have undesirable effects, including shutting down the computer. The default setting on this dialog is to allow the ban; click Cancel if you have concerns about the ban.