Carbon Black App Control includes several pre-configured Script Rules. These are useful as examples for creation of other rules.
Example: Windows Batch Scripts
Carbon Black App Control includes a script rule to identify and control executions of Windows batch scripts.
On the Scripts tab of the Software Rules page, you can click on the View Details icon next to the Batch rule to see how it is defined.
The Script Type field for the Batch rule includes two patterns – *.cmd and *.bat. Any file ending in either of these extensions will be identified as a batch script file, and will be tracked by Carbon Black App Control once discovered.
The Script Definition field shows Script Type and Process, so it is necessary to provide at least one pattern to match for the Script Process. In this case, there are two processes listed so that cmd.exe is identified as the processor for this script for both 32-bit and 64-bit systems.
When this rule is enabled, any time the cmd.exe (in the locations shown) attempts to access a file with a .cmd or .bat extension, the agent will control execution based on the current approval state of the script file, the policy settings for the computer on which the execution attempt occurs, and any other rules affecting the files.
Because Rescan Computers is checked in this rule, as soon as the rule is enabled, all computers managed by this Carbon Black App Control Server will be rescanned, and any files matching the Script Type for the rule will be locally approved and added to the File Catalog and Files on Computers list.
Example: Linux Shell Scripts
The Carbon Black App Control Server includes a script rule to identify and control executions of native shell scripts on Linux computers.
On the Scripts tab of the Software Rules page, you can click on the View Details icon next to the Linux Shell rule to see how it is defined.
The Script Type field for the Linux Shell rule includes several patterns – *.sh, *.csh, *.zsh, *.ksh. Any file ending in one of these extensions will be identified as shell script file, and will be tracked by the Carbon Black App Control Server once discovered.
The Script Definition field shows Script Type and Process, which is the only choice usable for Mac and Linux rules. There is a long list of processes in the rule, which support native script processing on the supported Linux platforms. If you choose you can add or remove processors (or script types) for this rule.
When this rule is enabled, any time a listed processor, such as /bin/bash, attempts to access a file with a listed extension, such as .sh, the Carbon Black App Control Server will control execution based on the current approval state of the script file, the policy settings for the computer on which the execution attempt occurs, and any other rules affecting the files.
Because Rescan Computers is checked in this rule, as soon as the rule is enabled, all computers managed by this Carbon Black App Control Server will be rescanned, and any files matching the Script Type for the rule will be locally approved and added to the File Catalog and Files on Computers list.