You can ban files manually that are reported in external notifications much the same way you would any inventoried file. However, you can apply bans directly from the External Notification Details page Action menu; therefore, you can ban malware identified in an external notification whether or not it has appeared on an Carbon Black App Control-managed endpoint.
- Click the View Details button next to the notification regarding the files you want to ban.
- On any of the Files tabs on the External Notification Details page, check the box to the left of each file that you want to ban.
- On the Action menu, select the ban type to apply to the checked files:
- Select Ban Globally to ban the file for all computers. This creates the ban without requiring any further interaction.
- Select Ban by Policy to customize the ban. This opens the Add File Rule page with partial information. On this page, you can select a fully functional ban or a Report Only ban, and you can choose specific policies to which the ban will apply. Report Only bans are useful if you want to monitor what an active ban would do before fully enabling it. When you have configured the ban, click Save.
The Action menu on the Files tab on the External Notification Details page includes the following choices for finding a file of interest:
- Find by Name
- Find by Size
- Find by Hash
The Files tab of the Software Rules page ( Rules > Software Rules on the console menu) shows the bans that you have created. Bans that are created manually from an external notification are named with a prefix of “External_” followed by the file name.
Some External Notification pages allow you to ban the process that attempted to perform an action on an object on your systems, such as modifying a registry key or writing to a directory. You can ban those processes using the same procedure described here, except that the commands state Ban Process instead of Ban.