Carbon Black App Control includes several standard script rules, some of which are enabled by default. On the Scripts rule page, you can enable or disable existing rules, modify the rules, and create new custom script rules.

The Scripts tab on the Software Rules page

The following table shows the standard script rules. Where the file extension is the same for different rules, a different process (or process path) is paired with the file extension. If you are upgrading from a pre-8.1.6 release, in addition to the table, please see Windows Script Rules Changes on Upgrade.

Table 1. Standard Script Rules and File Extensions

Application or Category

Script Extensions

Processes

Platform

Default State

Linux Shell

.sh, .csh, .zsh, .ksh

/bin/bash, /bin/csh, /bin/ksh, /bin/sh, /bin/tcsh, /bin/zsh/bin/dash, /bin/static-sh,/bin/busybox

Linux

Enabled

Linux Perl

.pl

/usr/bin/perl

Linux

Enabled

Linux Python

.py

/usr/bin/python

Linux

Enabled

Mac Shell

.sh, .csh, .zsh, .ksh

/bin/bash, /bin/csh, /bin/ksh, /bin/sh,/bin/tcsh, /bin/zsh

Mac

Enabled

Mac Perl

.pl

/usr/bin/perl

Mac

Enabled

Mac Python

.py

/usr/bin/python

Mac

Enabled

Batch

.cmd, .bat

<System>\cmd.exe

<Systemx86>\cmd.exe

<YaraTags:cmd_interpreter>*

Windows

Enabled

Registry

.reg

<System>\reg.exe

<Systemx86>\reg.exe

<System>\regedt32.exe

<Systemx86>\regedt32.exe

<Windows>\regedit.exe

<Systemx86\regedit.exe>

<YaraTags:reg_interpreter>*

Windows

Enabled

Visual Basic

.vbs, .vb, .vbe, .wsf, .wsh

<System>\cscript.exe,

<Systemx86>\cscript.exe

<System>\wscript.exe,

<Systemx86>\wscript.exe

<YaraTags:vb_interpreter>*

Windows

Enabled

Java

.jar, .class

*\java.exe, *\javaw.exe

<YaraTags:java_interpreter>*

Windows

Disabled

Perl (or Perl using Yara)1

.pl, .pm

*\perl.exe, <YaraTags:perl_interpreter>*

Windows

Disabled

Python

(or Python using Yara)2

.py, .pyc, .pyo

*\python.exe, *\pythonw.exe, <YaraTags:python_interpreter>*

Windows

Disabled

PowerShell

.ps1, .psm1

*\powershell.exe, <YaraTags:powershell_interpreter>*

Windows

Disabled

TCL

.tcl

*\wish.exe, *\tclsh.exe

Windows

Disabled

Ruby

.rb

*\ruby.exe

Windows

Disabled

Chrome Extensions

.crx

*\chrome.exe

Windows

Disabled

Mozilla Extensions

.xpi

*\firefox.exe

Windows

Disabled

HTML Application

.hta

*\mshta.exe, <YaraTags:mshta_interpreter>*

Windows

Enabled

Note: 1,2 -- For upgrades from pre-8.1.6 releases, the updated Perl and Python rules that include Yara are named “Perl using Yara” and “Python using Yara”. The pre-Yara versions remain in place with their old names. For new 8.1.6 installations, the rules “Perl” and “Python” include Yara and there is no version without Yara.

Windows Script Rules Changes on Upgrade

Beginning with Carbon Black App Control 8.1.6, the script processors in certain pre-configured Windows script rules are identified by Yara in addition to path and name. The processes identified in this way include: cmd.exe, regedit.exe, reg.exe, regedt32.exe, cscript.exe, wscript.exe, java.exe, javaw.exe, mshata.exe, perl.exe, python.exe, and pythonw.exe.

The Script rules that reflect this change are: Batch, Registry, Visual Basic, Java, Powershell, and HTML Application.

The Perl and Python rules will differ depending upon whether the server is new or upgraded from a pre-8.1.6 version:

  • When a pre-8.1.6 server is upgraded, two new Windows Script rules are added that include the previous extensions but also use Yara to identify the processors. These new rules are: Perl using Yara and Python using Yara.

    The existing Perl and Python script rules on an upgraded server remain unchanged since they do not incorporate a process in the rule but rather rely on file associations for the extensions pl, pm, py, pyc, pyo, and pyw.

  • New (non-upgrade) server installations do not have Perl using Yara and Python using Yara rules. Because there are no non-Yara versions of these rules on new servers, the rules using Yara are identified as Perl and Python.

Because they do not support Yara, the Linux and Mac script rules are unchanged.