You can use the Carbon Black App Control console to create, edit, or copy a registry rule.
In addition to providing a name, when creating a registry rule, you need to provide the information shown in bold in the left column of the table below and enter it in the Add Registry Rule page in the locations on the right:
General Description |
Field on Add/Edit Registry Rule Page |
---|---|
If this/these source process(es)... |
Process |
...and/or this/these user(s)... |
User or Group |
... attempt to modify the Windows Registry at this/these location(s)... |
Registry Path |
... on computers in this/these policy(ies)... |
Rule applies to/Policies: |
... on computers reporting to this/these App Control server(s)... |
Rule applies to/Servers (if Unified Management is enabled) |
.. then this action should be taken. |
Write Action |
* Additional actions and other options are available in Expert Mode. For more details, see Expert Rules.
For each of these fields, there could be multiple matching items, or the rule could specify all items in that class (for example, the rule applies to all users, or all policies, or all source processes).
Create Registry Rules
You create a Resgistry rule to be able to block, report, allow, or prompt the user for a choice when there are attempts to write to the Windows Registry.
Prerequisites
- Make sure you are familiar with the custom rule fields in the Add Registry Rule page. For a description of each of the fields, see Registry Rule Fields.
- For information on setting a rank for a rule, see Rule Ranking.
Procedure
Edit a Registry Rule
Editing a Registry rule is very similar to creating one. If you have permission to edit the rule, you can edit any field, including the rule name.
Procedure
Results
For more details, see Unified Management of Rules.
Copy a Registry Rule
There is a Copy this rule command on the Edit Registry Rule page. This command makes copies of the rule on the same server. You might do this so that you can customize a sample rule while preserving the original settings as a template. It also allows you to make slightly different rules for different policies without having to manually provide all of the settings for each one.