The following table describes File Rule parameters.

Table 1. File Rule Parameters

Field

Description

Rule Name

Text description of the files to be approved or banned. This can be a file name or other identifying information to help you manage the rule (the rule is created even if you do not enter a name).

This is name for the rule only. Entering a file name here does not create a filename-based rule.

Rule Type

Choices are Approval, Ban, and Ban (Report Only).

Source

(Read Only)

The source type of the most recent modification of the rule. This can indicate how it was created or a later change. The possible values are: Manual (all manual or from Action menu commands), Trusted Directory, Reputation, Imported (from an uploaded list of files), External (API), Event Rule, Rapid Configs, Unified Management, and Unknown. Appears after the rule is created.

Source Name

(Read Only)

The name or additional description for the source of the most recent modification of the rule. This will either be Carbon Black Installation, Trusted Directory (Deleted), or a rule name. Manual, Imported, and Unified Management rules do not have a Source Name.

Type (Bans Only)

To ban a file, you must know the name of the file or its hash (data signature). If you select Name, you can enter a path so that the rule only applies to a file in a particular location. Approvals are always by hash, so the Type field does not appear for them. Name bans must be platform-specific.

File Name (Bans Only)

Displays only for bans, and only if you chose File Name as Type. Name of the file and its extension. For example, msblast.exe.

Specify a directory path if you want to ban only matching files in a particular location. If you use a path, files with the same name that appear in any other directory are not subject to the name ban.

If you enter a path, be sure to use the correct directory delimiters, and to use only characters and formats legal for paths in the chosen platform. The Carbon Black App Control Server does not convert paths between platforms. Linux file names are usually case sensitive.

Platform (Ban by Name Only)

Displays only for bans, and only if you chose File Name as Type. Platform for which this rule is effective (macOS, Linux, or Windows). Name bans must be platform-specific.

Hash Type

Cipher algorithm used to create the hash to approve or ban. If you paste a value, the choices are MD5, SHA-1, and SHA-256. Rules created from a file table or details page use SHA-256, if available.

Hash Value

Hash (data signature) for the file. Hashes not yet seen by this Carbon Black App Control Server can be used in rules.

To locate hashes for files already found on your computers, you can use the File Catalog or Find Files pages.

Description

Optional text to further describe the file approval or ban.

This information is displayed in the File Rules table in the Description column (if visible).

Rule Applies To

Policies for which the approval is enforced:

  • Select All policies to approve or ban the file for all computers.
  • Select Specified policies to select which policies apply the rule. When you click this button, a list of policies displays, each with a check box. You also can use the checkbox at the top of the list to select or deselect all check boxes, but you cannot create a rule that applies to no policies.

History

(Read Only)

Shows when and by whom the rule was created and last changed. Also shows the CL version (that is, the version of Carbon Black App Control rules) in which the current version of the rule is present, which can be used to determine whether the rule is present on an agent.