This topic provides conceptual information about adding reputations to the approved list or banned list.

Using Wildcards in Paths

When adding a path, you can use wildcards to target certain files or directories.

Note: Be as specific as possible when approving certs because using wildcards can lead to incidentally approving malicious software that appears to be signed by a trusted certificate authority.
Wildcard Description Example
* Matches 0 or more consecutive characters up to a single subdirectory level. C:\program files*\custom application*.exe

Executable files in C:\program files\custom application\ or C:\program files(x86)\custom application\.

** Matches a partial path across all subdirectory levels and is recursive. C:\Python27\Lib\site-packages**

Files in that directory and all its subdirectories.

? Matches 0 or 1 character in that position. C:\Program Files\Microsoft Visual Studio 1?.0**

Files in the MS Visual Studio version 1 or versions 10-19.

Approving Files

Adding to the approved list approves the presence and actions of specified applications. Adding to the approved list is global in its effects and applies to all policies attached to a particular version of an application.

Use adding to the approved list for use cases such as: software deployment tools, executable installers, IDEs, compilers, script editors, and so on.

Carbon Black recommends that you routinely update your approved applications to account for new versions.

Benefits of Approving IT Tools and Certificates

  • Minimized performance impact when IT tools drop large amounts of new code that are immediately executed.
  • For IT tools, there will be no interference with new code execution. The dropped code is not blocked.
  • For certs, there will be no blocking on initial execution of files that are signed with specific certificates.
  • Adding to the approved list is not absolute to prevent exploitation. Deferred analysis of new code occurs in the background as it executes.

Reputations that Supersede Approved IT Tools and Certificates

  • Company Black
  • Company White
  • Known Malware
  • PUP Malware
  • Suspect Malware
  • Trusted White

Banning Files

Adding to the banned list prohibits the presence and actions of specified applications. Adding to the banned list is global in its effects.