You can control two types of action with a custom rule: Execute Action and Write Action. Execute Action is the action you want to take when there is a file execution attempt matching a rule. The Execute Action menu appears when the Operation choice is Execute or Execute and Write.
The following table shows the choices.
Menu Choice |
Description |
---|---|
Default |
Apply existing policy settings and other non-custom rules to file execution attempts matching this rule, and do not process other custom rules. |
Allow |
Allow a file matching the rule to execute in the specified path, even if execution would otherwise be blocked. The promotion state (whether the file is treated as an installer) depends on the process attempting the action (e.g., if that process is promoted, the newly created process will also be promoted). |
Block |
Prevent a file matching the rule from executing. When Block is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields. |
Promote |
Promote (treat as an installer) a file matching this rule. Even if a file is promoted, whether it can run or not depends on its existing file state and the Enforcement Level of the machine on which the execution is attempted. If the file is allowed to run, any files written by it will be locally approved unless already banned, and the written files also will be promoted if the process that wrote them attempts to execute them. |
Allow and Promote |
Allow a file matching the Path or File specification to execute regardless of its state, and promote it (treat it as an installer). Files written by a file matching an Allow and Promote rule will be locally approved unless already banned. For more on choosing to trust execution of files by path name, see the section Trusted Paths. |
Prompt |
Display a notifier dialog to users when an attempt is made to execute a file matching this rule. When Prompt is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields. The user can Block execution, Allow execution (and locally approve the file if allowed), or Promote (and allow execution of) the file. The behavior for the choice the user makes is the same as the behavior if the rule itself specified Block, Allow, or Allow and Promote. If the user chooses Allow or Promote, subsequent actions that are identical to the one Allowed or Promoted are completed without prompting. Blocking or allowing execution from a Custom Rule prompt does not change the global approval or ban state. |
Report |
Report (as an event) and allow execution of a file matching this rule, regardless of file state. |
Report Process Create |
Report (as an event) creation of a process matching the file and path specified by this rule by the process specified by the rule. |
Block Silently |
Prevent execution of a file when the execution conditions match this rule. Do not display a notifier, and do not generate an Carbon Black App Control event. |
Report Process Exit |
Report (as an event) the exit of a process matching the file and path specified by this rule that was started by the process specified in the rule. |
Report Image Load |
Report (as an event) loading of a DLL or EXE matching the file and path specified by this rule when loaded by the process specified in the rule. |
Write Action is the action to take when there is an attempt to create, modify or delete a file matching a rule. The Write Action menu appears on the Add/Edit Custom Rule page when Operation choice is Write or Execute and Write.
Menu Choice |
Description |
---|---|
Silence |
For an action that matches this rule and one or more additional rules (built-in or user-created), prevent notifications, meters, and events without preventing enforcement of the other matching rule(s) For example, if another rule would ban or block an action, the ban or block is still effective. If an action matching a Silence rule would have displayed a prompt (allow or block) notifier, the action will be blocked. Available for Advanced and Expert rule types only. |
Default |
Apply existing policy settings and non-custom rules when an attempt is made to write a file matching this rule. Do not process any other Custom Rules for matching files. |
Ignore |
Do not track creation, modification or deletion of a file matching this rule. Although not tracked, files matching an ignore rule are still blocked from writing if the file state and Enforcement Level would normally enforce a block. Ignore does not stop rule processing. If a write attempt matches both an Ignore rule and another rule lower in rank, the second rule is processed. |
Track |
Track creation, modification or deletion of a file matching this rule. This action allows creation of exceptions to Ignore rules. Appears only for Advanced and Expert rule types. |
Block |
Prevent writing of a file matching this rule. This prevents file creations, file deletions and file modifications. When Block is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields. |
Approve |
Allow a file matching this rule to be created (written) and locally approve it if possible (if it is not banned globally or by policy). |
Approve as Installer |
Allow a file matching this rule to be created (written) in the named directory, and locally approve and mark it as an installer if possible (i.e., if it is not banned globally or by policy). “Approve as installer” by a custom rule is a local and transient action only. It has no impact on any other instance of the file, and is not effective on this instance if the file is globally flagged as “Not an installer” because the initial state was overridden. The rule is effective if a file is marked as “Not an installer” because of the initial Carbon Black App Control analysis of the file. Use this option with caution since it allows a file to be identified by name as an installer without confirming the file hash. |
Prompt |
Present users who attempt to write a file matching the rule with a notifier dialog letting them block or allow writing. When Prompt is chosen, the Use Policy Specific Notifier checkbox appears and is checked by default. You also can uncheck this box to choose a Custom Notifier to alert the user when the rule blocks an action. For more details, see Custom Rule Fields. If the user selects Approve on the notifier, the file is written, and if it is an executable, it is approved. Subsequent identical operations (i.e., the same file and path, not a different matching file) are approved without prompting. Note, however, that global bans by name or hash still control whether the file can be executed. |
Allow |
Allow a file matching this rule to be created, modified, or deleted. This choice has no effect on the state of the file being written. |
Report |
Report (as an event) writing of any file matching this rule, even if the file is not normally tracked by the Carbon Black App Control Server. This includes files not analyzed as executable and files that are not the first seen instance of a hash. |
Never Report |
Never report actions matching this rule to the server. A record of the action will still be maintained on the agent. |