Create permission, blocking, and path denial rules to control what applications and behaviors the Carbon Black Cloud sensor prevents and allows in your environment.

For Standard and Advanced default policies, many settings are activated out-of-the-box.

Important: For standalone Carbon Black Cloud Enterprise EDR customers, the following policy rule options are limited:
  • The option for Runs or is running is selected and cannot be modified.
  • The option for Scan execute on network drives is selected and cannot be modified.

Using wildcards in paths

When adding a path, you can use wildcards to specify files or directories.

Wildcard Description Example
* Matches 0 or more consecutive characters up to a single subdirectory level. C:\program files*\custom application*.exe

Approves any executable files in: C:\program files\custom application\ C:\program files(x86)\custom application\

** Matches a partial path across all subdirectory levels and is recursive. C:\Python27\Lib\site-packages**

Approves any files in that directory and all subdirectories.

? Matches 0 or 1 character in that position. C:\Program Files\Microsoft Visual Studio 1?.0**

Approves any files in the MS Visual Studio version 1 or versions 10-19.

Set Permission Policy Rules

Use permission rules to allow and log behavior, or to have the Carbon Black Cloud bypass a path entirely. Create permissions rules to set up exclusions for other AV/security products or to remove impediments for software developers' workstations.

Operating system environment variables can be used as part of a policy rule in a path. For example: %WINDIR%.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select a policy.
  3. Click the Prevention tab and expand Permissions.
  4. Click Add application path, or click the pencil icon next to an existing rule to edit it.
  5. Type the application path in the text box.
    When adding a path, you can use wildcards to specify files or directories. For an explanation of how wildcards work in policy paths, see Prevention Policy Settings. You can add multiple paths on separate lines. You can delete a rule by clicking the trash can icon.
  6. Select the desired Operation Attempt and Action attributes.
    Figure 1. Permissions Rule Attributes
    The Permissions Rule Attributes
  7. We recommend that you test a new rule's settings before you apply it in your environment. Click Test rule for any setting. The system checks to see how the rule would have affected your organization over the last 30 days. You can use this data to confirm or modify your settings.
  8. To apply the changes, select Confirm and click Save.

Set Blocking and Isolation Policy Rules

You can create or edit a blocking and isolation rule to deny or terminate processes and applications.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select a policy.
  3. Click the Prevention tab and expand Blocking and Isolation.
  4. Click Add application path, or click the Edit icon next to an existing rule to edit it.
    When adding a path, use wildcards to specify files or directories. For an explanation of how wildcards work in policy paths, see Prevention Policy Settings. You can add multiple paths. Each path must start on a new line. Do not separate paths with commas. You can delete a rule by clicking the Trash can icon . You cannot delete built-in rules such as Known malware or Suspected malware.
  5. Select the Deny operation or Terminate process attributes.
    Figure 2. Blocking and Isolation Attribute Options
    The blocking and isolation attribute options displaying the deny operation checkbox and the terminate process checkbox
    Note: If you set the action to Terminate process, you cannot concurrently deny the operation.
  6. Test a new rule's settings before applying it in your environment. Click Test rule for any setting. The system checks to see how the rule would have affected your organization over the last 30 days. You can use this data to confirm or modify your settings.
  7. To apply the changes, click Confirm and then click Save.

USB Device Blocking

You can control the access to USB storage devices, such as blocking the access to all unapproved USB devices.

Note: USB device blocking is only available for Windows 3.6+ and macOS 3.5.3+ sensors.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select the policy.
  3. Click the Prevention tab and expand USB Device Blocking.
  4. Turn on blocking by selecting Block access to all unapproved USB devices.
  5. Optionally copy the same setting to all policies or to a specific policy by clicking Copy setting to other policies. Click Copy.
  6. To apply the changes, click Save.

Upload Paths

You can deny or allow sensors to send uploads from specific paths.

When adding a path, you can use wildcards to specify files or directories. For an explanation of how wildcards work in policy paths, see Prevention Policy Settings.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Click the Prevention tab and expand Uploads.
  3. Type the application path into one of the text boxes:
    • To deny the sensor from sending uploads from the path, type the path into the No Upload text box.
    • To allow the sensor to send uploads from the path, type the path into the Upload text box.
    You can add multiple paths. Each path must start on a new line. Do not separate with commas.
  4. Click Save.

Set Antivirus Exclusion Rules

Use this procedure to create AV exclusion rules, including those specific to various endpoint platforms.

Note: Some security vendors may require a trailing asterisk (*) to signify all directory contents.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select the policy.
  3. Click the Prevention tab and expand Permissions.
  4. Click Add application path.
  5. Enter the AV's recommended file/folder exclusions from the security vendor.
  6. Set the operation attempt Performs any API operation to Bypass.
  7. To apply the changes, click Confirm and then click Save.