Use the following table to get familiar with the fields available on the standard Add Custom Rule and Edit Custom Rule pages.

Column headings on the rule table page are shown when they differ from the Add/Edit page. For the Expert rule type fields, see Expert Rule Definitions.

Table 1. Custom Rule Fields

Field

Description

Rule Name

( Name in table)

Name by which this rule is identified. (Required)

Description

Additional information about the custom rule. This can be any text you choose to enter. (Optional)

Rank

(Table only)

The rank of this rule in order of evaluation. The rule ranked ‘1’ in the table is evaluated before the rule ranked ‘2’, and so on.

Status

Radio buttons that make this rule Enabled or Disabled. This allows you to create a rule that you use only at certain times, or to temporarily disable a rule without losing its definition.

Platform

Platform (Windows, Mac, or Linux) for which this rule is effective. Except for built-in “internal” rules, each custom rule is specific to a single platform.

Rule Type

The Rule Type choice changes other options and defaults on the Add/Edit Rule page to partially pre-configure rules for certain common scenarios. Options are File Integrity Control, Trusted Path, Execution Control, File Creation Control, Performance Optimization, Advanced and Expert. For descriptions and example, see Custom Rule Types and Examples.

Execute Action

(Add/Edit page only)

The action to take when there is a file execution attempt matching this rule. The menu appears when the Operation choice is Execute or Execute and Write. See Table: Specifying Execute and Write Actions for options.

Write Action

(Add/Edit page only)

The action to take when there is an attempt to create, modify or delete a file matching this rule. The menu appears when Operation choice is Write or Execute and Write. See Table: Write Action Choices for options.

Action

(Rule table only)

The type of action the rule takes. The possible values include all of those shown for Execute Action and Write Action plus other actions made available in Advanced and Expert rules.

Operation

 

The type of operation the rule affects. Menu choices of Execute, Write, or Execute and Write appear for this field on the Create/Edit Rule page for an Advanced rule. Other operations are available for Expert rules.

Action (Legacy)

(Rule table only)

This column shows actions and operations for the rule as shown in the Action column in pre-8.1.6 versions, or it shows “Expert Action(s)” in cases where expert rule information was not previously shown.

This field is present strictly for continuity with older versions – you should use the separate Action and Operation columns for the most accurate description of the rule.

Send Approval Event

For Advanced rule types that specify Approve or Approve as Installer, when this box is checked (the default), an event is recorded when a file is approved because of the rule.

Use Policy Specific Notifier

If you choose Block or Prompt as the Action, this checkbox appears to the right of the Action choice and is checked by default. If the box is checked, when a custom rule blocks an action, the notifier that appears is the one specified for the Enable Custom (file and path) Rules setting in the policy for the computer on which the action was blocked. If not checked, you can choose a custom notifier from the Custom Notifier menu.

Custom Execute/Write Notifier

If you choose Block or Prompt as the Action, and check the Use Policy Specific Notifier box, this menu appears.

When Block is the Action, you can choose any notifier from the menu. The menu also includes a <none> option so that you can disable the notifier for this rule.

When Prompt is the Action, you can choose any notifier on the menu. However, Prompt rules must display a notifier, so there is no <none> choice in this case.

If you use Unified Management to create a rule that applies to more than one server, client servers use the default notifiers, even if a custom notifier is specified on the management server.

Path or File

( Path in table)

Path to which this rule applies. This can be a folder or a specific file. You can use a local path or a UNC path, but not mapped drives (for example, Z:\application). See Specifying Paths and Processes for details on specifying a path.

Process

This field allows you to limit the rule so that it is applied only when certain processes attempt to execute or write files matching the path specification. See Specifying Paths and Processes for details and Table: Specifying Processes for process menu options.

Process Exclusion

(Add/Edit page only)

This field allows you to specify one or more processes for which a File Integrity Control rule is not applied. For details, see Specifying Paths and Processes.

User or Group

The users or groups to which this rule applies. For details, see Specifying Users or Groups.

Rule Applies To: Servers

(Add/Edit page only)

Radio buttons allow you to apply the rule to the current server, All Servers or Selected Servers. If you choose Selected Servers, a checklist that includes the current server and of all Carbon Black App Control servers managed by this server appears. In addition, policies for the servers you include appear in the Selected policies list.

This field appears only if Unified Management is configured on the server you are logged into.

Unified Server Source(Table only)

If this is a unified rule, the name of the unified management server that created or copied the rule.

Rule Applies To: Policies

( Policy in the table)

Radio buttons allow you to apply the rule to All Current and Future Policies or Selected policies. If you choose Selected policies, a checklist of all policies on your Carbon Black App Control Server appears.

If Unified Management is configured on the server you are logged into, and if you applied the rule to additional servers, policies for all selected servers appear in this list.

Is Global

(Table only)

Indicates whether the rule applies to all policies ( Yes) or only selected policies ( No).

Rule Applies To: Override Permissions

(Add/Edit page only)

Radio buttons allow you to specify whether administrators on other servers can modify rules sent via Unified Management on their own server. The options are No Override, Partial Override (allows changing rank) and Full Override (allows editing and changing rank).

This field appears only if Unified Management is configured on the server you are logged into and this rule is applied to more than the current server in the Rule Applies To:Servers field.

History

 

For existing rules, a History panel on the Edit Rule page appears showing some or all of the following fields. In addition, these fields can be added as columns on the rules table page.

  • Created By – If the rule was created on this server, the user who created it. Rules created during server installation or upgrades show “System” in this field.
  • Date Created – If the rule was created on this server, when it was created.
  • Last Modified By – If the rule has been modified since creation or import, the user who modified it.
  • Date Modified --If the rule has been modified since creation or import, when it was modified.
  • CL Version – Rules created after server installation also show the CL (config list) number that first contained the rule so that you can compare an agent CL number to determine whether the agent has received the rule.
  • Imported – (In the table only) indicates whether the rule was imported (Yes/No).
  • Imported By – If the rule was imported to this server, the user who imported it.
  • Imported Date – If the rule was imported to this server, when it was imported.