App Control: How To Use Windows Path Macros in a Custom Rule
Article ID: 286573
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
How to properly match a Windows Path Macro in App Control against the Windows operating system.
Environment
- App Control Console: All Supported Versions
- App Control Windows Agent: All Supported Versions
Resolution
The Windows Path Macros in App Control will be expanded by the Agent according to either the CSIDL or KNOWNFOLDERID depending on the version of Windows the Agent is installed on.
- Windows Vista and later will use KNOWNFOLDERID.
- Older versions of Windows will use CSIDL.
Example: <CommonAppData>\Acme Accounting\*.dll • FOLDERID_ProgramData: C:\ProgramData\Acme Accounting\*.dll • CSIDL_COMMON_APPDATA: C:\Documents and Settings\All Users\Application Data\Acme Accounting\*.dll Example: <LocalAppData>\Acme Accounting\temp\*.log • FOLDERID_LocalAppData: C:\Users\<UserName>\AppData\Local\Acme Accounting\temp\*.log • CSIDL_LOCAL_APPDATA: C:\Documents and Settings\<UserName>\Local Settings\Application Data\Acme Account\temp\*.log
Additional Information
- Currently the use of Wildcards inside a Path Macro is not supported.
- Path Macros can only be used at the beginning of the specified Path (no other text before it).
- OnlyIf and Registry Macros can be used anywhere in the specified Path.
- The full list of Windows Path Macros can be found on VMware Docs > Server Documentation > relevant version > Custom Software Rules > Specifying Paths and Processes > Using Macros in Rules.
- Path Macros represent a directory and a delimiter (slash or backslash) will be added automatically if it is not added in the Path.
- If a Custom Rule is expected to be effective as soon as possible after a user logs on, do not use any of the Per User Macros, and do not specify a User Group in the Custom Rule. Rules that specify a username or SID are always active and won't be affected by this delay.
Feedback
Yes
No
Powered by
