Using Wildcards in App Control
search cancel

Using Wildcards in App Control


Article ID: 286791


Updated On:


Carbon Black App Control (formerly Cb Protection)


This article provides guidance for wildcard usage in Custom Rules and how to verify wildcards in File or Process paths.


  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions


Wildcards in Custom Rules

App Control recognizes the following wildcard characters:

  • Multiple Characters: *
    Example: C:\ProgramData\AccountingSoftware\*.dll
  • Single Character: ?
    Example: C:\ProgramData\AccountingSoftware\version??.??\*.dll
  • Ending a Path: Ending a path with a backslash will be recursive through all files, folders, and subfolders. The two paths in the example below would be identical
    Example One: C:\ProgramData\AccountingSoftware\
    Example Two: C:\ProgramData\AccountingSoftware\*
  • Specifying a Directory: App Control will treat any path that does not end with a backslash as a file name.
    Valid Directory: C:\ProgramData\AccountingSoftware\
    Not a Valid Directory: C:\ProgramData\AccountingSoftware
  • Using With Macros: Wildcards are not allowed in a Macro Condition, but can be used in a Macro Value.
    Macro Structure: <OnlyIf:Condition:Value>
    Example: <OnlyIf:Hostname:*FileServer0?>*\temp\*.txt

Verifying wildcards in File or Process paths:

Using the testpattern command it is possible to test a path as entered in the Custom Rule against an actual path on the endpoint. This command:

  • requires authentication with the Agent.
  • compares against an existing, full path on the machine.
  • entered using the following pattern:
    testpattern <Test Path> <Actual Path>
  1. Verify the relevant path in the Custom Rule.
  2. Log in to the endpoint and in a command prompt issue the following commands:
    • Windows:
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
      dascli password GlobalCLIPassword
      dascli testpattern "C:\ProgramData\Acme Accounting\*.dll" "C:\ProgramData\Acme Accounting\math.dll"
    • macOS:
      cd "/Applications/Bit9/Tools"
      ./b9cli --password GlobalCLIPassword
      ./b9cli --testpattern "/Library/Application Support/Acme Accounting/*.sh" "/Library/Application Support/Acme Accounting/"
    • Linux:
      cd /opt/bit9/bin
      ./b9cli --password GlobalPassword
      ./b9cli --testpattern "/opt/Acme Accounting/*.sh" "/opt/Acme Accounting/"
  3. The Agent will expand the Test Pattern provided and return results similar to:
    Expanded Pattern: /opt/Acme Accounting/*.sh
    Normalized Filename: /opt/Acme Accounting/

Wildcards are not supported in:

  • Alert Criteria does not support wildcards. Instead, consider using Criteria such as, "begins with" or "contains".
  • The "User or Group" field in Custom Rules do not support wildcards. This field will map to an actual user or group on the computer or network.
  • Inside a Path Macro, each Path macro would have to be included. Examples:
    • Not Supported:
    • Supported:

Additional Information

  • System Variables (%username%) are not recognized by App Control.
  • The asterisk will be recursive through all directories and subdirectories.
  • Any path that has no slash or drive letter has "*\" (for Windows) or "*/" (for Mac and Linux) added at the beginning of the path.
  • Case Sensitivity of paths is dictated by the Operating System.
  • More information can be found in the User Guide chapter, "Custom Software Rules" found on VMware Docs > Server Documentation > User Guide.