App Control: What Custom Rules Should Be Avoided?
search cancel

App Control: What Custom Rules Should Be Avoided?

book

Article ID: 286747

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

What are some Custom Rule examples that should be avoided?

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

  • Using the Rule Type, Expert and specifying both the Execute and Approve actions will cause poor performance.
  • Using the Rule Type, Expert and specifying a YaraTags on any Write Operation will cause poor performance.
  • Using the Execute Action: Allow and Promote could unnecessarily elevate nested processes and cause unintended Local Approvals by the Agent.
  • Using one of the File Properties related macros listed below, on a Custom Rule with a Write action will cause high CPU usage.
    '<Sha256:', '<CertIssuer:', '<CertSerial:', '<CertSHA1:', '<CertMD5:', '<OnlyIf:BuildAttributes:',
    '<OnlyIf:BuildTime:', '<OnlyIf:PrivateBuild:', '<OnlyIf:SpecialBuild:', '<OnlyIf:Comments:', '<OnlyIf:Company:',
    '<OnlyIf:Copyright:', '<OnlyIf:Description:', '<OnlyIf:FileType:', '<OnlyIf:FileVersion:', '<OnlyIf:Language:',
    '<OnlyIf:Manufacturer:', '<OnlyIf:OriginalName:', '<OnlyIf:PackageCode:', '<OnlyIf:ProductName:', '<OnlyIf:ProductCode:',
    '<OnlyIf:ProductVersion:', '<OnlyIf:TargetOS:', '<OnlyIf:UpgradeCode:', '<OnlyIf:AboutURL:', '<OnlyIf:HelpURL:', '<OnlyIf:UpdateURL:'