The Carbon Black App Control Server can ban files or processes reported as part of a malware notification by external network security devices.
This can be done in several ways:
- Manual file bans of files reported in external notifications
- Registry Rules that ban certain processes that attempt access to registry keys, as reported in external notifications
- Custom Rules that ban activity in a directory reported in external notifications
- Event Rules that automatically ban files (or create report-only bans) when certain file-related events occur, in this case, due to external notifications
Registry, Custom, and Event rules can also be configured to report the actions they describe rather than banning them.
Note: Bans of MSI files should not rely on hashes reported by a third-party source. In addition, they should not use MD5 or SHA-1 hashes from any source. See
Approvals and Bans of MSI Files by Hash for details.