Utilize IT Tools Allow list Feature
Article ID: 285318
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How to utilize the IT Tools Allow list feature
Environment
- Carbon Black Cloud Console: All Versions
Resolution
- Navigate to the Reputation page.
- Click on the "Add" button.
- A modal pop-up window appears. Select "IT Tools" as the type.
- Files created by these processes (or processes in this path), will be given LOCAL_WHITE reputation
- Check the "Include all child processes" box if you would like files created by those child processes to also receive the LOCAL_WHITE reputation
Additional Information
- Drive letters and the following wildcards can be used when specifying the IT Tools path:
| Wildcard | Description | Example |
|---|---|---|
| * | Matches 0 or more consecutive characters up to a single sub-directory level. |
C:\program files*\custom application\*.exe Allow lists files created by any executable in c:\program files\custom application\ c:\program files(x86)\custom application\ |
| ** | Matches a partial path across all sub-directory levels and is recursive. |
C:\Python27\Lib\site-packages\** Allow lists files created by any executable in that directory and all subdirectories |
| ? | Matches 0 or 1 character in that position. |
C:\Program Files\Microsoft Visual Studio 1?.0\** Allow lists files created by any executable in the MS Visual Studio version 1 or versions 10-19 directories |
- The process that is defined as the IT Tool does NOT get the local approved reputation, only the files written to disk by that process are the ones that get the reputation update.
Feedback
Yes
No
Powered by
