Creating a File Creation Control Rule
search cancel

Creating a File Creation Control Rule

book

Article ID: 286602

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to create a File Creation Control Rule using Events in the Console.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Resolution

Step 1: Determine Matching Process and File Patterns:
  1. Log in to the Console and navigate to Reports > Events.
  2. Use the Filters or Saved Views to locate the matching Events, examples:
    • Saved View: New Files (Unapproved)  <and/or>
    • Filters: File Path > begins with:  <and/or>
    • Filters: Type > is > Discovery
  3. Verify the Description of the Events:
    • DiscoveredBy: [Kernel:Execute] or [IntegrityCheck] indicates the Agent did not observe the file being written, and an Execution Control Rule likely will be needed instead.
    • DiscoveredBy: [Kernel:Write] or [Kernel:Create] or [Kernel:Rename] indicates the Agent observed the Process writing the File.
  4. Use the Columns for Process, File Path, File Name and User to help create the File Creation Control Rule.

Step 2: Create the Custom Rule:
  1. Navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2. Using the information determined in Step 1, create a Custom Rule using the following as an example:
    • Rule Name: Accounting Software Updater
    • Status: Enabled
    • Platform: Windows
    • Rule Type: File Creation Control
    • Write Action: Approve
      • If desired, uncheck Send Approval Event.
      • This may be beneficial if a File Creation Control (Approve) Rule is particularly "noisy" and the Events referencing the File Approval are not needed.
    • Path or File:  
      C:\Program Files (x86)\Acme Accounting, Inc\*.dll
    • Process:  
      C:\Program Files (x86)\Acme Accounting, Inc\AcmeUpdater.exe
    • User or Group: Local System
    • Policies: <relevant Policies where software is expected>
  3. Click Save & Exit.

Additional Information

  • File Creation Control rules instruct the Agent how to handle matching write operations.
  • Enable Advanced Rule Options to specify additional criteria, such as Process Publisher.
  • If the Discovery Events are only due to Kernel:Execute it's possible a Performance Optimization Rule or some other exclusion is instructing the Agent to ignore the write operations.
  • By default the Agent does not block write operations.
    • Unless a specific File Creation Control or File Integrity Control Rule has been created to block a matching write operation, there is no need to create a File Creation Control > Allow rule.
Powered by Wolken Software