You can create permission, blocking, and path denial rules.

Important: For standalone Enterprise EDR customers, the following policy rule options are limited:
  • The option for "Runs or is running" is selected and cannot be modified.
  • The option for “Scan execute on network drives” is selected and cannot be modified.

Using wildcards in paths

When adding a path, you can use wildcards to target certain files or directories.

Wildcard Description Example
* Matches 0 or more consecutive characters up to a single subdirectory level. C:\program files \custom application\.exe Matches any executable files in: c:\program files\custom application\ c:\program files(x86)\custom application\
** Matches a partial path across all subdirectory levels and is recursive. C:\Python27\Lib\site-packages** Matches any files in that directory and all subdirectories.
? Matches 0 or 1 character in that position. C:\Program Files\Microsoft Visual Studio 1?.0** Matches any files in the MS Visual Studio version 1 or versions 10-19.

Set Permission Policy Rules

Use permission rules to allow and log behavior, or to have the Carbon Black Cloud bypass a path entirely. Create permissions rules to set up exclusions for other AV/security products or to remove impediments for software developers' workstations.

Operating system environment variables can be used as part of a policy rule in a path. For example: %WINDIR%.

Note: You can Copy a Policy from one policy to another policy, or to all policies.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select a policy, and open Prevention > Permissions category.
  3. Click Add application path, or click the pencil icon next to an existing rule to edit it.
  4. Type the application path in the text box.
    You can add multiple paths, delete paths or use wildcards. When adding multiple paths, each path must start on a new line. Do not separate with commas. You can delete a rule by using the trash can icon.
  5. Select the desired Operation Attempt and Action attributes.
  6. To apply the changes, select Confirm and click Save.

Set Blocking and Isolation Policy Rules

You create, or edit a blocking and isolation rule to deny, or terminate processes and applications.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select a policy and open the Prevention > Blocking and Isolation category.
  3. Click Add application path, or click the pencil icon next to an existing rule to edit it.
    If you are adding an application path, use wildcards to create flexible policy rules. You can add multiple paths separated by commas. You can delete a rule by clicking the trash can icon.
  4. Select the desired Operation Attempt and Action attributes.
    If you set the action to Terminate process, you cannot concurrently deny the operation.
  5. To apply the changes, select Confirm and click Save.

USB Device Blocking

You can control the access to USB storage devices such as blocking the access to all unapproved USB devices.

Note: USB device blocking is only available for Windows 3.6+ and macOS 3.5.3+ sensors.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Open the Prevention > USB Device Blocking category.
  3. Turn on blocking by selecting Block access to all unapproved USB devices.
  4. Copy the same setting to all policies or to a specific policy by clicking Copy setting to other policies.
  5. To apply the changes, select Copy and click Save.

Upload Paths

You can deny or allow the deployed sensors to send uploads from specific paths.

When adding a path, you can use wildcards to target certain files or directories.
Wildcard Description Example
* Matches 0 or more consecutive characters up to a single subdirectory level. C:\program files \custom application\.exe Matches any executable files in: c:\program files\custom application\ c:\program files(x86)\custom application\
** Matches a partial path across all subdirectory levels and is recursive. C:\Python27\Lib\site-packages** Matches any files in that directory and all subdirectories.
? Matches 0 or 1 character in that position. C:\Program Files\Microsoft Visual Studio 1?.0** Matches any files in the MS Visual Studio version 1 or versions 10-19.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Open the Prevention > Uploads category.
  3. Type the application path into one of the text boxes:
    • To deny the sensor from sending uploads from the path, use the No Upload text box
    • To allow the sensor to send uploads from the path, use the Upload text box.
  4. Click Save.

Set Antivirus Exclusion Rules

You can create antivirus (AV) exclusion rules, including those specific to various endpoint platforms.

To run as usual, other AV products require custom rules.

If you use other security products, create the following exclusions for the Carbon Black Cloud sensor:

Windows folders: Windows files: macOS: Linux:
C:\Program Files\Confer\ C:\Windows\System32\drivers\ctifile.sys /Applications/Confer.app/ /var/opt/carbonblack/
C:\ProgramData\CarbonBlack\ C:\Windows\System32\drivers\ctinet.sys /Applications/VMware Carbon Black Cloud /opt/carbonblack/
C:\Windows\System32\drivers\cbelam.sys /Library/Application Support/com.vmware.carbonblack.cloud/
C:\Windows\system32\drivers\cbdisk.sys /Library/Extensions/CbDefenseSensor.kext

C:\windows\system32\CbAMSI.dll

C:\windows\system32\ctiuser.dll

C:\windows\syswow64\CbAMSI.dll

C:\windows\syswow64\ctiuser.dll
C:\Windows\Syswow64\ctintev.dll
C:\Program Files\Confer\BladeRunner.exe
C:\Program Files\Confer\CbNativeMessagingHost.exe
C:\Program Files\Confer\RepCLI.exe
C:\Program Files\Confer\RepMgr.exe
C:\Program Files\Confer\RepUtils.exe
C:\Program Files\Confer\RepUx.exe
C:\Program Files\Confer\RepWAV.exe
C:\Program Files\Confer\RepWmiUtils.exe
C:\Program Files\Confer\RepWSC.exe
C:\Program Files\Confer\Uninstall.exe
C:\Program Files\Confer\VHostComms.exe
C:\Program Files\Confer\Blades\LiveQuery\osqueryi.exe
C:\Program Files\Confer\scanner\scanhost.exe
C:\Program Files\Confer\scanner\upd.exe
Note: Some security vendors may require a trailing asterisk (*) to signify all directory contents.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Open the Prevention > Permissions category.
  3. Select the policy to update and click Add application path.
  4. Enter the AV's recommended file/folder exclusions from the security vendor.
  5. Set the operation attempt Performs any operation to Bypass.
  6. To apply the changes, click Confirm and Save.