Creating an Execution Control (Allow) Rule
search cancel

Creating an Execution Control (Allow) Rule

book

Article ID: 286534

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to create an Execution Control (Allow) Rule using Events in the Console. Some examples of when this can be beneficial include:

  • The file creation is not observed by the Agent.
  • Agent is reporting Unanalyzed or Still Analyzing Events on the files.
  • Files are not signed (or incorrectly signed) by a Publisher.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Resolution

Step 1: Determine Matching Process and File Patterns:

  1. Log in to the Console and navigate to Reports > Events.
  2. Use the Filters or Saved Views to locate the matching Events, examples:
    • Saved View: Blocked Files (All)  <and/or>
    • Filters: File Path > begins with:
  3. Use the Columns for Process, File Path, File Name and User to help create the Execution Control Rule.

Step 2: Create the Custom Rule:

  1. Navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2. Using the information determined in Step 1, create a Custom Rule using the following as an example:
    • Rule Name: Accounting Software (Unanalyzed)
    • Status: Enabled
    • Platform: Windows
    • Rule Type: Execution Control
    • Write Action: Allow
    • Path or File: 
      C:\Program Files (x86)\Acme Accounting, Inc\*.dll
    • Process: 
      C:\Program Files (x86)\Acme Accounting, Inc\AcmeDashboard.exe
    • User or Group: Any User
    • Policies: <relevant Policies where software is expected>
  3. Click Save & Exit.