This topic provides conceptual information about adding reputations to the approved list or banned list.
Using Wildcards in Paths
When adding a path, you can use wildcards to target certain files or directories.
|*||Matches 0 or more consecutive characters up to a single subdirectory level.||C:\program files*\custom application*.exe
Executable files in C:\program files\custom application\ or C:\program files(x86)\custom application\.
|**||Matches a partial path across all subdirectory levels and is recursive.||C:\Python27\Lib\site-packages**
Files in that directory and all its subdirectories.
|?||Matches 0 or 1 character in that position.||C:\Program Files\Microsoft Visual Studio 1?.0**
Files in the MS Visual Studio version 1 or versions 10-19.
Adding to the approved list approves the presence and actions of specified applications. Adding to the approved list is global in its effects and applies to all policies attached to a particular version of an application.
Use adding to the approved list for use cases such as: software deployment tools, executable installers, IDEs, compilers, script editors, and so on.
Carbon Black recommends that you routinely update your approved applications to account for new versions.
Benefits of Approving IT Tools and Certificates
- Minimized performance impact when IT tools drop large amounts of new code that are immediately executed.
- For IT tools, there will be no interference with new code execution. The dropped code is not blocked.
- For certs, there will be no blocking on initial execution of files that are signed with specific certificates.
- Adding to the approved list is not absolute to prevent exploitation. Deferred analysis of new code occurs in the background as it executes.
Reputations that Supersede Approved IT Tools and Certificates
- Company Black
- Company White
- Known Malware
- PUP Malware
- Suspect Malware
- Trusted White
Adding to the banned list prohibits the presence and actions of specified applications. Adding to the banned list is global in its effects.