File bans are rules that block specific files from executing on computers running the Carbon Black App Control Agent, based on the agent Enforcement Level.
You can ban files reported by your Carbon Black App Control Agents in the course of day-to-day operations, and you also can preemptively ban files not yet seen on your computers but for which you have obtained information from third-party sources. Carbon Black App Control supports bans by file name or hash. Bans can affect all agents running in Control mode or be targeted to computers in selected policies only. You also can configure Carbon Black App Control to terminate processes already running when you ban their file image.
As the following table shows, file bans do not prevent software from running on computers operating in Visibility mode. However, even in Visibility mode, a ban will produce an event that you can use to monitor how often the banned file is run. Banning undesirable files while in Visibility mode also helps you prepare for a transition into full Control mode.
Policy Settings |
Enforcement Levels |
||||
---|---|---|---|---|---|
Active Bans |
None (Agent Disabled) |
None (Visibility Only) |
Medium |
High |
|
Banned files (by hash or name) |
Off/Permit |
Permit & Report |
Block |
Block |
Block |
When you ban specific files by name or hash, the bans appear as rules on the Software Rules page Files tab. One fundamental decision about how you ban a file is whether you ban it by name or by hash. The following table describes the differences between the two.
Ban Type |
Description |
---|---|
File Name Ban |
Block execution of the named file everywhere (if you enter only the file name) or at specified locations (if you enter a path), and on all computers or computers in selected policies. File name bans do not change the Global State of a file, but assure that all instances of files by the specified name are locally banned wherever they appear. Be careful not to ban a file required for system or application operation, especially when you specify paths using the (*) wildcard character. As a precaution, you can execute file-name bans in Report-Only state to test the effects of the ban. Ban (Report Only) bans remain unenforced until you change them to a blocking Ban. When you search by state for a file that is banned by both name and by hash, the file appears in the list of files in the Banned state but not in files with Local State Details of Banned by Name. Each file name ban is specific to one platform only. If you enter a path, use the correct directory delimiters and use only characters and formats legal for paths in the platform. |
Hash Ban |
Block execution of the specified hash in any location on all computers or on computers in selected policies. Hash bans are not platform-specific. Although you can copy and paste hashes from external sources, it is easier to ban hashes discovered by an agent directly from console pages that list files. You can create a Ban directly from most console pages that show a hash. Bans initiated from these pages automatically direct you to the Add File Rule page, fill in the hash for you, set the Type as Ban, and allow you to modify other ban properties before creating the ban. |