You can control two types of action with a custom rule: Execute Action and Write Action. Execute Action is the action you want to take when there is a file execution attempt matching a rule. The Execute Action menu appears when the Operation choice is Execute or Execute and Write.

The following table shows the choices.

Table 1. Execute Action Choices

Menu Choice

Description

Default

Apply existing policy settings and other non-custom rules to file execution attempts matching this rule, and do not process other custom rules.

Allow

Allow a file matching the rule to execute in the specified path, even if execution would otherwise be blocked.

The promotion state (whether the file is treated as an installer) depends on the process attempting the action (e.g., if that process is promoted, the newly created process will also be promoted).

Block

Prevent a file matching the rule from executing.

When Block is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields.

Promote

Promote (treat as an installer) a file matching this rule. Even if a file is promoted, whether it can run or not depends on its existing file state and the Enforcement Level of the machine on which the execution is attempted. If the file is allowed to run, any files written by it will be locally approved unless already banned, and the written files also will be promoted if the process that wrote them attempts to execute them.

Allow and Promote

Allow a file matching the Path or File specification to execute regardless of its state, and promote it (treat it as an installer). Files written by a file matching an Allow and Promote rule will be locally approved unless already banned. For more on choosing to trust execution of files by path name, see the section Trusted Paths.

Prompt

Display a notifier dialog to users when an attempt is made to execute a file matching this rule.

When Prompt is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields.

The user can Block execution, Allow execution (and locally approve the file if allowed), or Promote (and allow execution of) the file. The behavior for the choice the user makes is the same as the behavior if the rule itself specified Block, Allow, or Allow and Promote. If the user chooses Allow or Promote, subsequent actions that are identical to the one Allowed or Promoted are completed without prompting.

Blocking or allowing execution from a Custom Rule prompt does not change the global approval or ban state.

Report

Report (as an event) and allow execution of a file matching this rule, regardless of file state.

Report Process Create

Report (as an event) creation of a process matching the file and path specified by this rule by the process specified by the rule.

Block Silently

Prevent execution of a file when the execution conditions match this rule. Do not display a notifier, and do not generate an Carbon Black App Control event.

Report Process Exit

Report (as an event) the exit of a process matching the file and path specified by this rule that was started by the process specified in the rule.

Report Image Load

Report (as an event) loading of a DLL or EXE matching the file and path specified by this rule when loaded by the process specified in the rule.

Write Action is the action to take when there is an attempt to create, modify or delete a file matching a rule. The Write Action menu appears on the Add/Edit Custom Rule page when Operation choice is Write or Execute and Write.

Table 2. Write Action Choices

Menu Choice

Description

Silence

For an action that matches this rule and one or more additional rules (built-in or user-created), prevent notifications, meters, and events without preventing enforcement of the other matching rule(s) For example, if another rule would ban or block an action, the ban or block is still effective. If an action matching a Silence rule would have displayed a prompt (allow or block) notifier, the action will be blocked. Available for Advanced and Expert rule types only.

Default

Apply existing policy settings and non-custom rules when an attempt is made to write a file matching this rule. Do not process any other Custom Rules for matching files.

Ignore

Do not track creation, modification or deletion of a file matching this rule. Although not tracked, files matching an ignore rule are still blocked from writing if the file state and Enforcement Level would normally enforce a block.

Ignore does not stop rule processing. If a write attempt matches both an Ignore rule and another rule lower in rank, the second rule is processed.

Track

Track creation, modification or deletion of a file matching this rule. This action allows creation of exceptions to Ignore rules. Appears only for Advanced and Expert rule types.

Block

Prevent writing of a file matching this rule. This prevents file creations, file deletions and file modifications.

When Block is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields.

Approve

Allow a file matching this rule to be created (written) and locally approve it if possible (if it is not banned globally or by policy).

Approve as Installer

Allow a file matching this rule to be created (written) in the named directory, and locally approve and mark it as an installer if possible (i.e., if it is not banned globally or by policy).

“Approve as installer” by a custom rule is a local and transient action only. It has no impact on any other instance of the file, and is not effective on this instance if the file is globally flagged as “Not an installer” because the initial state was overridden. The rule is effective if a file is marked as “Not an installer” because of the initial Carbon Black App Control analysis of the file.

Use this option with caution since it allows a file to be identified by name as an installer without confirming the file hash.

Prompt

Present users who attempt to write a file matching the rule with a notifier dialog letting them block or allow writing.

When Prompt is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields.

If the user selects Approve on the notifier, the file is written, and if it is an executable, it is approved. Subsequent identical operations (i.e., the same file and path, not a different matching file) are approved without prompting. Note, however, that global bans by name or hash still control whether the file can be executed.

Allow

Allow a file matching this rule to be created, modified, or deleted. This choice has no effect on the state of the file being written.

Report

Report (as an event) writing of any file matching this rule, even if the file is not normally tracked by the Carbon Black App Control Server. This includes files not analyzed as executable and files that are not the first seen instance of a hash.

Never Report

Never report actions matching this rule to the server. A record of the action will still be maintained on the agent.