Carbon Black App Control provides content-based inspection by using YARA rules, which enables more granular control of the security policy in your environment. YARA rules are descriptions of malware samples that can help you detect and classify malware in files. In a rule, the criteria for the rule is defined and tags are specified. When the rule is enabled, tags are assigned to files that meet the criteria for the rule.

With release 8.0 the open-source YARA tool was included in the product to help you inspect the content of files. Now with Server 8.9.0, to help approve and ban files, you can create YARA rules in your environment to use along with the native custom rules of Carbon Black App Control. Therefore, with content-based inspection you have more control and flexibility with your default deny security posture.

Note: YARA rules are available on Windows agents only.
You can use the pre-configured YARA rules, which help you to determine:
  • If a file is interesting and should be tracked, such as EXE and DLL files.
  • If a file is an installer and should be marked as such to help with subsequent file approvals.
  • A file classification, which allows arbitrary tags to be assigned based on the content.

You can define your own YARA rules and determine if existing files are rescanned. You can specify that the scan will begin immediately, or schedule it to begin later, which can reduce performance impact. New and modified files are automatically scanned.

You can download existing YARA rules from the internet to look for specific malware, tag it, and ban it. To help approve files which are developed and compiled in-house without being signed, you can look for unique information in the compiled file such as values in the portable executable header.

The following scenarios are examples of how Carbon Black App Control uses YARA rules.
  • YARA rules are used to identify installers. When Carbon Black App Control identifies an installer, it is easier to allow write approvals. For example, when a setup.exe is approved, anything that gets written by it is approved because setup.exe is an installer and has been identified as an installer. The usage of YARA rules makes the identification process easier.
  • YARA rules are used to detect and halt a ransomware attack. When the header of a file is identified as changing and being encrypted, the Ransomeware Protection Rapid Config is used to help prevent the attack.

For more information on YARA rules, see https://yara.readthedocs.io/en/stable/index.html.