You can specify two processes in a memory rule. Use the Target Process for processes you want the rule to restrict, monitor, or allow access to. Use the Source Process for processes requesting access to the Target Process.
When you specify the Target Process in a memory rule, you have options for defining the string for that field. You can use these options when you select one of the two Source Process options that require entry of a path ( Specific Process... or Any Process Except ...). These options are:
|Specify a directory or a process
|You can enter a process specification that exactly identifies a file by path and name so that only that file matches the rule. You also can enter a specification that identifies a directory, and so affects processes running from files in that directory and its subdirectories.
|Specify a local drive or UNC path
|You can identify a process by using a local drive name, such as C:\folder1\subfolder\application.exe. You also can enter a remote process by using a UNC path, such as \\computer\dir\application.exe. Mapped drives in a path or process specification are not recognized.
|You can use wildcards (‘?’ for any one character and ‘*’ for zero or more characters) to expand the scope of a process specification or help you match a file or folder whose exact location you don’t know. Wildcards may be used at the beginning, end, or middle of a path.
|You can use special Carbon Black App Control macros to identify certain well known folders in the Microsoft Windows environment, even if you don’t know their exact location on all agent computers.
|Specify multiple paths or processes
|You can add more than one process path definition per rule.