When you specify a path or a file in a Custom rule, you have several options for defining the string for that field. The same string options can be used for either of the two process options that require entry of a path (Specific Process... or Any Process Except ...).

The Definition for a Custom Rule with the Path or File field and the Process field highlighted

Option Description
Specify a directory or a file/process You can enter a path or process specification that exactly identifies a file by path and name so that only that file matches the rule. You also can enter a specification that identifies a directory, and so affects all files or processes in that directory and its subdirectories.
Specify a local drive or UNC path (Windows only) You can use a local drive name, such as C:\folder1\subfolder\application.exe, to identify a local path or process. For a remote path or process, use a UNC path, such as \\computer\dir\application.exe. Mapped drives in a path or process specification are not recognized.
Use wildcards You can use wildcards (‘?’ for any one character and ‘*’ for zero or more characters) to expand the scope of a path or process specification, or to help you match a file or folder whose exact location you don’t know. Wildcards may be used at the beginning, end or middle of a path.
Use macros You can use special macros to identify certain well known folders, even if you don’t know their exact location on agent computers. Macros are platform-specific, and in the current release, most apply to Windows only.
Specify multiple paths or processes For both paths and processes, you can add more than one path definition per rule.

Specifying a File or Directory

You can enter a directory or a specific file as your path. When you specify a directory, you are instructing the rule to operate on files in that directory and any of its subdirectories (unless there are higher-ranked rules specific to certain files or subdirectories).

To indicate that a Path or File definition, or a Process definition is a directory, you must end it with the folder delimiter (slash or backslash) for the rule platform, or with the delimiter and an asterisk. If you do not include the delimiter, the rule attempts to match a file by the name you provided, not a directory. For example, either of the following correctly identifies a directory in a Windows path definition:
  • c:\folder1\subfolder2\
  • c:\folder1\subfolder2\*

However, c:\folder1\subfolder2 is not recognized as a directory:

If you use path macros in a path or process definition, the Carbon Black App Control Server automatically processes the macro so that it is treated as a directory, even if you don’t follow the macro with a backslash. For details, see Using Macros in Rules.

Platform-Specific Syntax

The path you provide for a rule is interpreted according to the path rules for the platform you choose for the rule.

  • The case sensitivity of paths and file name in rules usually depends on the operating system. Rules normally are not case sensitive for MacOS and Windows. They normally are case sensitive for Linux. However, if a file system with different case-sensitivity rules is attached to a system. For example, by connecting an external drive or mounting a network file system – the case sensitivity of the file system determines whether a rule is effective.
  • Path and file name case are preserved in the form you enter them, even for case insensitive platforms.
  • Paths must use the correct directory delimiter for the rule platform: forward slash (/) for MacOS and Linux and backslash (\) for Windows. Delimiters will not be converted if you change the platform for a rule, and you cannot enter the incorrect delimiter in a rule.
  • Paths must meet other requirements of the chosen platform, including not using characters that are illegal in that file system (e.g., no colons (:) in MacOS paths) and not exceeding length limits.
  • Any macros used in a path must be specific to the rule’s platform (for example, Windows, MacOS, or Linux).

Using Wildcards in Rules

You can use wildcard characters in the Path and Process fields. Asterisk (*) indicates zero or more characters and question mark (?) indicates one character. You can use wildcards to specify partial paths or multiple paths for directories that appear in different locations on different computers (although macros might be a more effective way to accomplish this – see Using Macros in Rules).

In most cases, wildcards are not allowed inside of macros. However, they are allowed in cmdline macros and in certain parts of OnlyIf macros. If you are using a metadata-based OnlyIf macro, you cannot use wildcards in paths within that macro. You can, however, use them in with other parts of the macro, for example, to match a company name.

The number of wildcards in a path or process specification is not restricted. For example, you could define a path as: * \Win*\folder?\

Important: When you use wildcards, do not create a rule so broad that it will interfere with activity in a directory that is required for legitimate use by another application or the operating system. Do not use the asterisk wildcard by itself in the path field, especially with rules that block all executions or writes, unless you are certain it will not interfere with necessary operations on agent computers. Use similar caution with wildcards when creating exceptions to restrictions created by other rules.

Automatic Path Conversions

When a rule is processed, file paths in a process field undergo several automatic path conversions if they contain certain symbols:

  • Any path that ends with a backslash (Windows) or forward slash (MacOS and Linux) has the ‘*’ wildcard added at the end of the path.
  • Any path that has no slash or drive letter has "*\" (for Windows) or "*/" (for MacOS and Linux) added at the beginning of the path.
  • In Windows rules, drive letters may be used in a path as long as they are for local fixed volumes. Mapped drive letters should not be used because there is no guarantee that the mapping exists on all computers.
  • In Windows rules, the string "*:\" applies to all attached storage volumes except for floppy disks and CD/DVD-ROMs.

Specifying Devices in Paths in Windows Rules

In Windows rules, you can create rules that apply to processes on some or all devices on the agent computer by including \device\ in the path. For example,
  • \device\*\ specifies all devices.
  • \device\harddisk*\ specifies attached storage volumes except for floppy disks and CD-ROMs.
  • \device\cdrom*\ specifies CD-ROM devices.