App Control: How to Create a Command Line Macro in a Rule
search cancel

App Control: How to Create a Command Line Macro in a Rule

book

Article ID: 286940

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to use command-line macro in custom rule

Environment

  • App Control Console: All Supported Versions

Resolution

There are 4 ways to use command line conditions in the Rules:
  1. Apply the rule only if the full command line matches specified pattern (X).  
    <CmdLine:X>
  2. Apply the the rule only if the command line contains at least X + 1 arguments, and argv[X] matches the pattern Y.  
    <CmdLineArgumentIdx:X:Y>
  3. Apply the rule if any argument in the command line matches pattern X.  
    <CmdLineAnyArgument:X>
  4. Apply the rule if the command line contains argument X and the argv[X+1] (the next argument after X) matches Y. 
    <CmdLineArgumentName:X:Y>

Additional Information

  • Wildcards may be used in cmdline macros. Inserting other macros inside cmdline macros is not supported
  • Some CmdLine rules may not apply correctly unless there are two spaces after the command like
    • Example: 
      ping  -t
    • instead of: 
      ping -t
  • This extra space may not be visible when viewing the rule even if it is there
Powered by Wolken Software