What Custom Rules Should Be Avoided
search cancel

What Custom Rules Should Be Avoided

book

Article ID: 286747

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

What are some Custom Rule combinations that should be avoided?

Environment

  • App Control Console: All Supported Versions

Resolution

  1. Expert Rule with both Execute operation and Approve action causes significant performance impact
    • Execute operations are stalled until confirmed the file is approved or allowed
    • The Approve action forces the agent to analyze the file which is time-consuming and CPU intensive
    • Combining both Execute and Approve will significantly slow down any running application matching the rule
  2. Using the Execute Action: Allow and Promote could unnecessarily elevate nested processes which will cause unintended local approvals of files.
    • Allow and Promote should not be used unless a very specific situation in encountered like multi layered software install where a parent process creates and executes a child process which then creates and executes another child process
  3. File Creation or an Expert Rule with a Write/Modify operations and a custom Yara Tags will cause poor performance and high CPU
    • A custom Yara Tag combined with a Write/Modify operation forces the agent to analyzes a file before it has been written on disk
    • File Creation rules should only use the provided pre-built Yara Tags listed in the following doc
    • Custom Yara Tags should only be used within Execution control rules
  4. File Creation or Expert Rule with a Write/Modify operations and a file properties Macro will cause poor performance and high CPU
    • A file properties Macro combined with a Write/Modify operation forces the agent to analyzes the file before it has been written on disk
    • Macros in the list bellow should only be used in Execution control rules or Expert rules with Execute operations
      '<Sha256:', '<CertIssuer:', '<CertSerial:', '<CertSHA1:', '<CertMD5:', '<OnlyIf:BuildAttributes:',
      '<OnlyIf:BuildTime:', '<OnlyIf:PrivateBuild:', '<OnlyIf:SpecialBuild:', '<OnlyIf:Comments:', '<OnlyIf:Company:',
      '<OnlyIf:Copyright:', '<OnlyIf:Description:', '<OnlyIf:FileType:', '<OnlyIf:FileVersion:', '<OnlyIf:Language:',
      '<OnlyIf:Manufacturer:', '<OnlyIf:OriginalName:', '<OnlyIf:PackageCode:', '<OnlyIf:ProductName:', '<OnlyIf:ProductCode:',
      '<OnlyIf:ProductVersion:', '<OnlyIf:TargetOS:', '<OnlyIf:UpgradeCode:', '<OnlyIf:AboutURL:', '<OnlyIf:HelpURL:', '<OnlyIf:UpdateURL:'
  5. Expert Rule using the Open/Read operations can hurt performance and should be avoided
    • Open/Read operations are generally not considered interesting by the agent
    • Open/Read operations can still be used within an Expert rule with specific paths to Ignore or Block the action
  6. Using Authenticated Users within a Custom Rule could result in unnecessary rule expansion increasing the overall rules count when multiple users log-in simultaneously (e.g. RDS servers)
    • The Custom Rule will expand into separate rule for every user that is currently logged in
    • Custom Rules with multiple File or Process paths will expand exponentially because of this
    • Authenticated Users provides little benefit over using Any User in a Custom Rule, but a rule with Any User expands only once for all currently logged in users
  7. Performance Optimization rules should avoid:
    • Adding Processes that write interesting (Executable) files with Any Path - instead, specify the exact non-interesting file extensions to exclude
    • Adding File Paths ending on a wild card - instead, specify the exact non-interesting file extensions to exclude
    • Otherwise, these types of combinations could stop the Agent from seeing the Create/Write of an Executable file, and prevent the Local Approvals of such files
    • When the Agent discovers a file on execution, it causes a stall and analysis in-line, which will delay the execute operation