What Custom Rules Should Be Avoided
search cancel

What Custom Rules Should Be Avoided

book

Article ID: 286747

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

What are some Custom Rule examples that should be avoided

Environment

  • App Control Console: All Supported Versions

Resolution

  1. Expert Rule with both Execute operation and Approve action causes significant performance impact
    • Execute operations are stalled until confirmed the file is approved or allowed
    • The Approve action forces the agent to analyze the file which is time consuming and CPU intensive
    • Combining both Execute with Approve will significantly slow down any running application matching the rule
  2. Using the Execute Action: Allow and Promote could unnecessarily elevate nested processes which will cause unintended local approvals of files.
    • Allow and Promote should not be used unless a very specific situation in encountered like multi layered software install where a parent process creates and executes a child process which then creates and executes another child process
  3. File Creation or an Expert Rule with a Write/Modify operations and a custom Yara Tags will cause poor performance and high CPU
    • A custom Yara Tag combined with a Write/Modify operation forces the agent to analyzes a file before it has been written on disk
    • File Creation rules should only use the provided pre-built Yara Tags listed in the following doc
    • Custom Yara Tags should only be used within Execution control rules
  4. File Creation or Expert Rule with a Write/Modify operations and a file properties Macro will cause poor performance and high CPU
    • A file properties Macro combined with a Write/Modify operation forces the agent to analyzes the file before it has been written on disk
    • Macros on the list bellow should only be used in Execution control rules or Expert rules with Execute operations
'<Sha256:', '<CertIssuer:', '<CertSerial:', '<CertSHA1:', '<CertMD5:', '<OnlyIf:BuildAttributes:',
'<OnlyIf:BuildTime:', '<OnlyIf:PrivateBuild:', '<OnlyIf:SpecialBuild:', '<OnlyIf:Comments:', '<OnlyIf:Company:',
'<OnlyIf:Copyright:', '<OnlyIf:Description:', '<OnlyIf:FileType:', '<OnlyIf:FileVersion:', '<OnlyIf:Language:',
'<OnlyIf:Manufacturer:', '<OnlyIf:OriginalName:', '<OnlyIf:PackageCode:', '<OnlyIf:ProductName:', '<OnlyIf:ProductCode:',
'<OnlyIf:ProductVersion:', '<OnlyIf:TargetOS:', '<OnlyIf:UpgradeCode:', '<OnlyIf:AboutURL:', '<OnlyIf:HelpURL:', '<OnlyIf:UpdateURL:'
  1. Expert Rule using the Open/Read operations can hurt performance and should be avoided
    • Open/Read operations are generally not considered interesting by the agent
    • Open/Read operations can still be used in an Expert rule with the Ignore action
Powered by Wolken Software