You can create permission, blocking, and path denial rules.
- The option for "Runs or is running" is selected and cannot be modified.
- The option for “Scan execute on network drives” is selected and cannot be modified.
Using wildcards in paths
When adding a path, you can use wildcards to target certain files or directories.
Wildcard | Description | Example |
---|---|---|
* | Matches 0 or more consecutive characters up to a single subdirectory level. | C:\program files \custom application\.exe Matches any executable files in: c:\program files\custom application\ c:\program files(x86)\custom application\ |
** | Matches a partial path across all subdirectory levels and is recursive. | C:\Python27\Lib\site-packages** Matches any files in that directory and all subdirectories. |
? | Matches 0 or 1 character in that position. | C:\Program Files\Microsoft Visual Studio 1?.0** Matches any files in the MS Visual Studio version 1 or versions 10-19. |
Set Permission Policy Rules
Use permission rules to allow and log behavior, or to have the Carbon Black Cloud bypass a path entirely. Create permissions rules to set up exclusions for other AV/security products or to remove impediments for software developers' workstations.
Operating system environment variables can be used as part of a policy rule in a path. For example: %WINDIR%
.
Procedure
Set Blocking and Isolation Policy Rules
You create, or edit a blocking and isolation rule to deny, or terminate processes and applications.
Procedure
USB Device Blocking
You can control the access to USB storage devices such as blocking the access to all unapproved USB devices.
Procedure
- On the left navigation pane, click .
- Open the category.
- Turn on blocking by selecting Block access to all unapproved USB devices.
- Copy the same setting to all policies or to a specific policy by clicking Copy setting to other policies.
- To apply the changes, select Copy and click Save.
Upload Paths
You can deny or allow the deployed sensors to send uploads from specific paths.
Wildcard | Description | Example |
---|---|---|
* | Matches 0 or more consecutive characters up to a single subdirectory level. | C:\program files \custom application\.exe Matches any executable files in: c:\program files\custom application\ c:\program files(x86)\custom application\ |
** | Matches a partial path across all subdirectory levels and is recursive. | C:\Python27\Lib\site-packages** Matches any files in that directory and all subdirectories. |
? | Matches 0 or 1 character in that position. | C:\Program Files\Microsoft Visual Studio 1?.0** Matches any files in the MS Visual Studio version 1 or versions 10-19. |
Procedure
- On the left navigation pane, click .
- Open the category.
- Type the application path into one of the text boxes:
- To deny the sensor from sending uploads from the path, use the No Upload text box
- To allow the sensor to send uploads from the path, use the Upload text box.
- Click Save.
Set Antivirus Exclusion Rules
You can create antivirus (AV) exclusion rules, including those specific to various endpoint platforms.
To run as usual, other AV products require custom rules.
If you use other security products, create the following exclusions for the Carbon Black Cloud sensor:
Windows folders: | Windows files: | macOS: | Linux: |
---|---|---|---|
C:\Program Files\Confer\ | C:\Windows\System32\drivers\ctifile.sys | /Applications/Confer.app/ | /var/opt/carbonblack/ |
C:\ProgramData\CarbonBlack\ | C:\Windows\System32\drivers\ctinet.sys | /Applications/VMware Carbon Black Cloud | /opt/carbonblack/ |
C:\Windows\System32\drivers\cbelam.sys | /Library/Application Support/com.vmware.carbonblack.cloud/ | ||
C:\Windows\system32\drivers\cbdisk.sys | /Library/Extensions/CbDefenseSensor.kext | ||
C:\windows\system32\CbAMSI.dll |
|||
C:\windows\system32\ctiuser.dll |
|||
C:\windows\syswow64\CbAMSI.dll |
|||
C:\windows\syswow64\ctiuser.dll | |||
C:\Windows\Syswow64\ctintev.dll | |||
C:\Program Files\Confer\BladeRunner.exe | |||
C:\Program Files\Confer\CbNativeMessagingHost.exe | |||
C:\Program Files\Confer\RepCLI.exe | |||
C:\Program Files\Confer\RepMgr.exe | |||
C:\Program Files\Confer\RepUtils.exe | |||
C:\Program Files\Confer\RepUx.exe | |||
C:\Program Files\Confer\RepWAV.exe | |||
C:\Program Files\Confer\RepWmiUtils.exe | |||
C:\Program Files\Confer\RepWSC.exe | |||
C:\Program Files\Confer\Uninstall.exe | |||
C:\Program Files\Confer\VHostComms.exe | |||
C:\Program Files\Confer\Blades\LiveQuery\osqueryi.exe | |||
C:\Program Files\Confer\scanner\scanhost.exe | |||
C:\Program Files\Confer\scanner\upd.exe |
Procedure
- On the left navigation pane, click .
- Open the category.
- Select the policy to update and click Add application path.
- Enter the AV's recommended file/folder exclusions from the security vendor.
- Set the operation attempt Performs any operation to Bypass.
- To apply the changes, click Confirm and Save.