Carbon Black App Control includes several standard script rules, some of which are enabled by default. On the Scripts rule page, you can enable or disable existing rules, modify the rules, and create new custom script rules.
The following table shows the standard script rules. Where the file extension is the same for different rules, a different process (or process path) is paired with the file extension. If you are upgrading from a pre-8.1.6 release, in addition to the table, please see Windows Script Rules Changes on Upgrade.
| Application or Category |
Script Extensions |
Processes |
Platform |
Default State |
|---|---|---|---|---|
| Linux Shell |
.sh, .csh, .zsh, .ksh |
/bin/bash, /bin/csh, /bin/ksh, /bin/sh, /bin/tcsh, /bin/zsh/bin/dash, /bin/static-sh,/bin/busybox |
Linux |
Enabled |
| Linux Perl |
.pl |
/usr/bin/perl |
Linux |
Enabled |
| Linux Python |
.py |
/usr/bin/python |
Linux |
Enabled |
| Mac Shell |
.sh, .csh, .zsh, .ksh |
/bin/bash, /bin/csh, /bin/ksh, /bin/sh,/bin/tcsh, /bin/zsh |
Mac |
Enabled |
| Mac Perl |
.pl |
/usr/bin/perl |
Mac |
Enabled |
| Mac Python |
.py |
/usr/bin/python |
Mac |
Enabled |
| Batch |
.cmd, .bat |
<System>\cmd.exe <Systemx86>\cmd.exe <YaraTags:cmd_interpreter>* |
Windows |
Enabled |
| Registry |
.reg |
<System>\reg.exe <Systemx86>\reg.exe <System>\regedt32.exe <Systemx86>\regedt32.exe <Windows>\regedit.exe <Systemx86\regedit.exe> <YaraTags:reg_interpreter>* |
Windows |
Enabled |
| Visual Basic |
.vbs, .vb, .vbe, .wsf, .wsh |
<System>\cscript.exe, <Systemx86>\cscript.exe <System>\wscript.exe, <Systemx86>\wscript.exe <YaraTags:vb_interpreter>* |
Windows |
Enabled |
| Java |
.jar, .class |
*\java.exe, *\javaw.exe <YaraTags:java_interpreter>* |
Windows |
Disabled |
| Perl (or Perl using Yara)1 |
.pl, .pm |
*\perl.exe, <YaraTags:perl_interpreter>* |
Windows |
Disabled |
| Python (or Python using Yara)2 |
.py, .pyc, .pyo |
*\python.exe, *\pythonw.exe, <YaraTags:python_interpreter>* |
Windows |
Disabled |
| PowerShell |
.ps1, .psm1 |
*\powershell.exe, <YaraTags:powershell_interpreter>* |
Windows |
Disabled |
| TCL |
.tcl |
*\wish.exe, *\tclsh.exe |
Windows |
Disabled |
| Ruby |
.rb |
*\ruby.exe |
Windows |
Disabled |
| Chrome Extensions |
.crx |
*\chrome.exe |
Windows |
Disabled |
| Mozilla Extensions |
.xpi |
*\firefox.exe |
Windows |
Disabled |
| HTML Application |
.hta |
*\mshta.exe, <YaraTags:mshta_interpreter>* |
Windows |
Enabled |
Windows Script Rules Changes on Upgrade
Beginning with Carbon Black App Control 8.1.6, the script processors in certain pre-configured Windows script rules are identified by Yara in addition to path and name. The processes identified in this way include: cmd.exe, regedit.exe, reg.exe, regedt32.exe, cscript.exe, wscript.exe, java.exe, javaw.exe, mshata.exe, perl.exe, python.exe, and pythonw.exe.
The Script rules that reflect this change are: Batch, Registry, Visual Basic, Java, Powershell, and HTML Application.
The Perl and Python rules will differ depending upon whether the server is new or upgraded from a pre-8.1.6 version:
- When a pre-8.1.6 server is upgraded, two new Windows Script rules are added that include the previous extensions but also use Yara to identify the processors. These new rules are: Perl using Yara and Python using Yara.
The existing Perl and Python script rules on an upgraded server remain unchanged since they do not incorporate a process in the rule but rather rely on file associations for the extensions pl, pm, py, pyc, pyo, and pyw.
- New (non-upgrade) server installations do not have Perl using Yara and Python using Yara rules. Because there are no non-Yara versions of these rules on new servers, the rules using Yara are identified as Perl and Python.
Because they do not support Yara, the Linux and Mac script rules are unchanged.
