CB Protection: How To Enable Windows Installer Embedded File Protection Using Custom Rules
Article ID: 285754
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
The Windows Installer Embedded File Protection Rapid Config is available to customers running 8.0.0 patch 7 and higher. For customers unable to upgrade to patch 7 at this time, the solution below can be used to import custom rules for the same functionality.
Environment
- CB Protection Server: 8.0.0 Patch 3 - 8.0.0 Patch 6
Resolution
- Download the .rules from this link: https://sflinks.carbonblack.com/CkgUvNrDlmo/
- In the CB Protection Console, navigate to Rules > Software Rules > Custom
- Click on the Import Rules button
- Choose the file downloaded in the first step
- Check the box in front of the rule named "Report execution of jar files identified as Installers"
- Click on Import
- After importing, the rule will appear at the top of the list.
- Make sure to enable the rule here so it will take effect
Additional Information
Information on the Rapid Config can be found here:
https://community.carbonblack.com/t5/Documentation-Downloads/Windows-Installer-Embedded-File-Protection-Rapid-Config/ta-p/67075
The post from Threat Research can be found here:
https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Java-Embedded-MSI-files/ta-p/66446
https://community.carbonblack.com/t5/Documentation-Downloads/Windows-Installer-Embedded-File-Protection-Rapid-Config/ta-p/67075
The post from Threat Research can be found here:
https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Java-Embedded-MSI-files/ta-p/66446
Feedback
Yes
No
Powered by
