Software Rules Order of Precedence
search cancel

Software Rules Order of Precedence

book

Article ID: 286498

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

What is the order of precedence for the different types of software rules in App Control?

Environment

  • App Control Console : All Supported Versions

Resolution

 

Note: Custom Rules, Hash-based Rules, and Trusted Users are different approval methods that run in parallel and can trigger at the same time.
  1. Custom Rules are pattern based approval/block methods that rank in the following order:
    1. Tamper Protection built-in Rules
    2. Updaters and Rapid Configs built-in Rules
    3. User-created Custom Rules
    4. Internal Custom Rules (e.g. Block Executions of Unapproved or Banned Hashes)
  1. Hash-based rules are approval/ban methods where a hash value is being used to change the state of files
    • Global/Local File Rules
    • Trusted Directory Rules
    • Reputation Approvals of Files or Publishers
    • Publisher and Certificates Rules
  1. Trusted Users is an approval method where the specified user or group SID number is used to approve/allow files to run

Additional Information

  • The ability to have multiple approval methods better ensures that files get approved and reduces the chance of unexpected blocks.
  • When multiple approvals trigger for the same file, agents may coalesce the data into one event to reduce noise.
  • For example: If a File is Approved by both Publisher and Custom Rule then the agent will report single event with subtype "File Approval by Publisher", but that will also include the Custom Rule that approved it.
  • Within the Custom Rules there are out of the box internal rules that cannot be deleted.
  • User created Custom rules can either be set above or below the internal rules.
  • One scenario may call for a Custom Rule to sit above the internal "Block banned files" or "Block unapproved files" and another scenario may call for it to be below.
  • If a file is Locally or Globally Approved, and an Execution Block Rule is created by the user to block the same file, then the file would be blocked.
  • The opposite is true as well, if a file is Locally or Globally Banned, an Execution Allow Rule is created that sits above the internal "Block banned file hashes" rule, the the file will run
  • This is so that user created rules can override the built in behavior of the App Control agent, if desired.