You can use the Carbon Black App Control console to view and select the parameters for a Rapid Config, which you apply to a policy.

On the console menu, select Rules > Software Rules and click the Rapid Configs tab.

The list of Rapid Configs provided in the Carbon Black App Control release you installed.

Initially, this page shows the list of Rapid Configs built in to the Carbon Black App Control release you installed. The following table lists the Rapid Configs available when this publication was completed. If you have automatic cloud update enabled or install a later release, you might see more Rapid Configs, and some of the Rapid Configs listed here might be changed.

Table 1. Rapid Configs

Configuration

Platform

Description

Browser Protection

Windows

Reports or prevents browsers from performing potentially malicious operations.

Carbon Black App Control Server Tamper Protection

Windows

Protects the Carbon Black App Control Server from tampering. Disabled by default, but enabling it is recommended for extra protection. It may be disabled later if necessary for troubleshooting purposes.

There is tamper protection built into the Carbon Black App Control agent, which is on by default. The Rapid Config on this page is for tamper protection on the server.

Carbon Black EDR Tamper Protection

Windows

Protects the VMware Carbon Black EDR sensor from tampering. If you have both the Carbon Black App Control agent and the VMware Carbon Black EDR sensor installed on endpoints, enabling this updater provides extra protection.

Cryptomining Protection

Windows

Reports or prevents potentially malicious behavior related to file based cryptomining attacks. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0.

Delivery Optimization

Windows

Approve files written by the Delivery Optimization Service (DoSvc). This Rapid Config is not needed for agents running version 8.1 and later because files written by the Delivery Optimization Service will automatically be approved in those versions. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0.

Domain Controller Logon Scripts

Windows

Allows and promotes all files under the Sysvol and NetLogon directories of specified domain controllers if the machine is a member of the specified domain.

Doppelganger Protection

Windows

Protect against the exploit known as Doppelganging on Windows systems. Reference: https://community.carbonblack.com/docs/DOC-11212. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0 P7.

Linux Hardening

Linux

Improves the security of computers running Linux by reporting or blocking modification of critical Linux system files.

Linux System Performance

Linux

Improves the performance of computers running Linux by ignoring writes of specified files or by specified processes.

Microsoft Edge

Windows

Approves updates to Microsoft Edge.

Microsoft Exchange Server

Windows

Improves the performance of Microsoft Exchange servers when running along side App Control. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0.

Microsoft Office Protection

Windows

Improves security by watching for suspicious behavior by Microsoft Office apps, such as spawning of other applications or creating executable file types.

Microsoft SCCM

Windows

Approves software delivered via Microsoft SCCM. Optionally allows and promotes files you specify that are executed directly from SCCM distribution points.

Microsoft SQL Server

Windows

Improves the performance of Microsoft SQL servers when running alongside App Control. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0.

Microsoft Teams

Windows

Approve Updates to Microsoft Teams.

Mimikatz Protection

Windows

Protect against Mimikatz based attacks on Windows systems. Mimikatz is a credential abuse tool effective at retrieving cleartext passwords, NTLM hashes, Kerberos Ticket Granting Tickets (TGT) and more. Developed by Benjamin Delpy to illustrate flaws within the Windows Authentication subsystem, it is a tool frequently used by malicious actors due to its reliability and efficiency. Several successful attacks leverage or mimic Mimikatz to dump credentials from memory, enabling actors to move laterally across systems using legitimate credentials - undetected. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.1.0.

Powershell Protection

Windows

Improve security by watching for suspicious executions of Powershell.exe. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0.

Ransomware Protection

Windows

Protect against ransomware by reporting or blocking modification to files typically targeted by ransomware.

Reconnaissance and Exfiltration Protection

Windows

Protect against reconnaissance and exfiltration of files.

Script Processors

Windows

Improves the security of computers by ensuring that script processors only run from expected locations. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0.

See Script Rules for more information on the definition and control of scripts.

Self-Service Approvals

Windows

Provides a folder from which normal end-users can approve the execution of unapproved files even when in high enforcement. For more details on the benefits of this Rapid Config see this document: https://community.carbonblack.com/docs/DOC-4162. Minimum Carbon Black App Control agent version to use this Rapid Config is 7.2.0.

SolarWinds-Sunburst Protection

Windows

Prevent exploitation of the SolarWinds breach. You can see details of the Sunburst attack here: https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-SolarWinds-SUNBURST-Solarigate-Incident/ta-p/98346. In additon to this Rapid Config, the 'Reconnaissance and Exfiltration Protection' Rapid Config can provide protection against the SolarWinds breach.

Suspicious Application Protection

Windows

Reports or prevents execution of Microsoft applications that are rarely used and can be used maliciously.

Suspicious Command Line Protection A-M

Windows

Reports or prevents behavior by common applications that is suspicious based on command line.

Suspicious Command Line Protection N-Z

Windows

Reports or prevents behavior by common applications that is suspicious based on command line. 

Suspicious Parent-Child Protection

Windows

Reports or prevents behavior by common applications that is suspicious based on parent-child relationships. 

Visual Studio

Windows

Approves Visual Studio builds and ignores intermediate build files.

VMware App Volumes Protection

Windows

Prevents attackers from impersonating or writing to VMware App Volumes AppStacks while still allowing writable areas to be modified.

VMware Workspace ONE

Windows

Approve software distributed by VMware Workspace ONE.

Windows App Store

Windows

Approves Windows App Store installs and updates to specified directories.

Windows Hardening

Windows

Improves security of machines running Microsoft Windows.

Windows Installer Embedded File Protection

Windows

Protect against exploiting Windows installers by embedding malicious content in them.

WMI Protection

Windows

Protects against Windows Management Instrumentation (WMI) exploitation on windows systems. Minimum Carbon Black App Control agent version to use this Rapid Config is 8.0.0.

For Carbon Black App Control and VMware Carbon Black EDR tamper protection configurations, your options are to enable or disable them and select the policies to which they are applied; no other changes can be made. Other Rapid Configs allow or require you to provide other parameters, such as paths and processes, that will specify how they work.

Note: When you select the parameters for a Rapid Config, consider the potential number of matches and the volume of events that could be generated by those parameters. This is especially true for the Windows Hardening and Browser Protection Rapid Configs. To test the event volume for a particular configuration, consider first enabling the Rapid Config for a policy with a small number of computers before applying it generally.