You can use the Carbon Black App Control console to view and select the parameters for a Rapid Config, which you apply to a policy.
On the console menu, select and click the Rapid Configs tab.
Initially, this page shows the list of Rapid Configs built in to the Carbon Black App Control release you installed. The following table lists the Rapid Configs available when this publication was completed. If you have automatic cloud update enabled or install a later release, you might see more Rapid Configs, and some of the Rapid Configs listed here might be changed.
| Configuration |
Platform |
Description |
|---|---|---|
| Browser Protection |
Windows |
Reports or prevents browsers from performing potentially malicious operations. |
| Carbon Black App Control Server Tamper Protection |
Windows |
Protects the Carbon Black App Control Server from tampering. Disabled by default, but enabling it is recommended for extra protection. It may be disabled later if necessary for troubleshooting purposes. There is tamper protection built into the Carbon Black App Control agent, which is on by default. The Rapid Config on this page is for tamper protection on the server. |
| Carbon Black EDR Tamper Protection |
Windows |
Protects the VMware Carbon Black EDR sensor from tampering. If you have both the Carbon Black App Control agent and the VMware Carbon Black EDR sensor installed on endpoints, enabling this updater provides extra protection. |
| Cryptomining Protection | Windows |
Reports or prevents potentially malicious behavior related to file based cryptomining attacks. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0. |
| Delivery Optimization | Windows |
Approve files written by the Delivery Optimization Service (DoSvc). This Rapid Config is not needed for agents running version 8.1 and later because files written by the Delivery Optimization Service will automatically be approved in those versions. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0. |
| Domain Controller Logon Scripts |
Windows |
Allows and promotes all files under the Sysvol and NetLogon directories of specified domain controllers if the machine is a member of the specified domain. |
| Doppelganger Protection | Windows |
Protect against the exploit known as Doppelganging on Windows systems. Reference: https://community.carbonblack.com/docs/DOC-11212. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0 P7. |
| Linux Hardening |
Linux |
Improves the security of computers running Linux by reporting or blocking modification of critical Linux system files. |
| Linux System Performance |
Linux |
Improves the performance of computers running Linux by ignoring writes of specified files or by specified processes. |
| Microsoft Edge | Windows |
Approves updates to Microsoft Edge. |
| Microsoft Exchange Server |
Windows |
Improves the performance of Microsoft Exchange servers when running along side App Control. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0. |
| Microsoft Office Protection |
Windows |
Improves security by watching for suspicious behavior by Microsoft Office apps, such as spawning of other applications or creating executable file types. |
| Microsoft SCCM |
Windows |
Approves software delivered via Microsoft SCCM. Optionally allows and promotes files you specify that are executed directly from SCCM distribution points. |
| Microsoft SQL Server | Windows |
Improves the performance of Microsoft SQL servers when running alongside App Control. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0. |
| Microsoft Teams | Windows |
Approve Updates to Microsoft Teams. |
| Mimikatz Protection | Windows |
Protect against Mimikatz based attacks on Windows systems. Mimikatz is a credential abuse tool effective at retrieving cleartext passwords, NTLM hashes, Kerberos Ticket Granting Tickets (TGT) and more. Developed by Benjamin Delpy to illustrate flaws within the Windows Authentication subsystem, it is a tool frequently used by malicious actors due to its reliability and efficiency. Several successful attacks leverage or mimic Mimikatz to dump credentials from memory, enabling actors to move laterally across systems using legitimate credentials - undetected. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.1.0. |
| Powershell Protection | Windows |
Improve security by watching for suspicious executions of Powershell.exe. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0. |
| Ransomware Protection |
Windows |
Protect against ransomware by reporting or blocking modification to files typically targeted by ransomware. |
| Reconnaissance and Exfiltration Protection |
Windows |
Protect against reconnaissance and exfiltration of files. |
| Script Processors |
Windows |
Improves the security of computers by ensuring that script processors only run from expected locations. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0. See Script Rules for more information on the definition and control of scripts. |
| Self-Service Approvals | Windows |
Provides a folder from which normal end-users can approve the execution of unapproved files even when in high enforcement. For more details on the benefits of this Rapid Config see this document: https://community.carbonblack.com/docs/DOC-4162. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0. |
| SolarWinds-Sunburst Protection |
Windows |
Prevent exploitation of the SolarWinds breach. You can see details of the Sunburst attack here: https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-SolarWinds-SUNBURST-Solarigate-Incident/ta-p/98346. In additon to this Rapid Config, the 'Reconnaissance and Exfiltration Protection' Rapid Config can provide protection against the SolarWinds breach. |
| Suspicious Application Protection | Windows |
Reports or prevents execution of Microsoft applications that are rarely used and can be used maliciously. |
| Suspicious Command Line Protection A-M | Windows |
Reports or prevents behavior by common applications that is suspicious based on command line. |
| Suspicious Command Line Protection N-Z | Windows |
Reports or prevents behavior by common applications that is suspicious based on command line. |
| Suspicious Parent-Child Protection | Windows |
Reports or prevents behavior by common applications that is suspicious based on parent-child relationships. |
| Visual Studio |
Windows |
Approves Visual Studio builds and ignores intermediate build files. |
| VMware App Volumes Protection |
Windows |
Prevents attackers from impersonating or writing to VMware App Volumes AppStacks while still allowing writable areas to be modified. |
| VMware Workspace ONE |
Windows |
Approve software distributed by VMware Workspace ONE. |
| Windows App Store |
Windows |
Approves Windows App Store installs and updates to specified directories. |
| Windows Hardening |
Windows |
Improves security of machines running Microsoft Windows. |
| Windows Installer Embedded File Protection |
Windows |
Protect against exploiting Windows installers by embedding malicious content in them. |
| WMI Protection | Windows |
Protects against Windows Management Instrumentation (WMI) exploitation on windows systems. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0. |
For Carbon Black App Control and VMware Carbon Black EDR tamper protection configurations, your options are to enable or disable them and select the policies to which they are applied; no other changes can be made. Other Rapid Configs allow or require you to provide other parameters, such as paths and processes, that will specify how they work.
