Managing ABExclusion Rules
search cancel

Managing ABExclusion Rules

book

Article ID: 286459

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to add or remove ABExclusions in the environment.

Environment

  • App Control Console: All Supported Versions
  • App Control Windows Agent: All Supported Versions
  • App Control Linux Agent: Version 8.7.16+
  • App Control macOS Agent: Version 8.9.0+

Cause

  • Adjusting ABExclusion Rules are done to reduce data from Events, Files, or both from being sent back to the Server.
  • This can reduce network traffic, Server load, and help reduce database growth.

Resolution

CAUTION!

  • Malformed or incomplete ABExclusions could cause Agents to stop sending data for all Events, Files (or both).
  • ABExclusions should only be used when specifically instructed by Support.
  • If possible, a better idea may be to adjust the Custom Rule to not send Events or File Data.

 

ABExclusion Formatting:

  • Each exclusion follows the pattern: 
    PathNames;FileNames;ProcessNames;Hashes;UserNames;PublisherNames;HostGroups;eventSubtype;requiredReportABFlags;prohibitedReportABFlags;exclusionFlags
  • ExclusionFlags should always be specified to prevent a malformed/incomplete ABExclusion causing no Event/File Data to be sent.
  • Every field (except Flags and Event Subtype) can be a comma-delimited list of strings.
  • ABExclusions are separated by the pipe character, example: 
    ;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3|;;;;;Microsoft Corporation,Microsoft Windows;;;;E0;7

Adding or Removing ABExclusions:

  1. Log in to the Console and navigate to https://ServerAddress/support.php > ABExclusions
  2. Use the Exclusion Filters to add relevant exclusion pattern for the Event, File, or Process patterns.
  3. From the Add Filter dropdown, choose Exclusion Flags.
  4. Check either: Exclude Files, Exclude Events, or both.
  5. Click Add Rule.
  6. In the top grey bar, confirm the new rule has been added, and is formatted correctly.
    • If correct, click Save.
    • If incorrect, click Reset.

Additional Information

  • Some examples of popular ABExclusions:
  • When specifying a directory in an AB Exclusion:
    • Folder\ will only apply to that specific folder
    • FolderName\* will apply to all subfolders but not the specific folder FolderName\
    • For both the specific folder and all subfolders an exclusion for FolderName\ and FolderName\* will need to be added, example: 
      TheDirectory\,TheDirectory\*;;TheProcess.exe;;;;;;;;3
  • Max length for ABExclusion is: 2048 Characters, to confirm the length the following SQL Query can be executed:
    USE das;
SELECT * FROM dbo.config_list (nolock) WHERE data LIKE '%exclude_abs_new%' ORDER BY version DESC;
Powered by Wolken Software