Memory Rules let you protect a process from being accessed or altered by other processes or users.

When a rule matches your criteria, you can:
  • Block read, write, or execution access to a matching process.
  • Report on access.
  • Prompt the user on the agent system to deny or allow access.
There are advanced options for special cases.

If in-memory malicious attack occurs on a system protected by the Carbon Black App Control Agent, a properly configured memory rule can prevent that attack from spreading to other processes, or accessing information in other processes. Memory rules limit the vulnerability of a protected computer. They can also protect specific applications or processes from termination, or other manipulation by users or malicious code.

You can view a list of memory-rule-related events, including blocked actions caused by memory rules. Navigate to the Reports > Events page and select Memory from the Saved Views drop-down menu.

Important: There are two built-in rules named Tamper Protection, ranked 1 and 2 by default, that help protect agent computers. Do not edit, disable, or reorder these rules unless instructed to do so by Carbon Black Support.

Check the description field for any rule before you consider modifying it.

You can set the memory rules as centrally managed for multiple servers through the Unified Management feature. For details, see Unified Management of Multiple Servers.

You can also export memory rules from one server and import them to another. To perform these action, navigate to the Software Rules > Memory tab. For details, see Exporting and Importing Rules.