Using Command Line Exceptions
search cancel

Using Command Line Exceptions

book

Article ID: 288698

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

This article provides guidance on properly formatting a Command Line Exception in a Rapid Config.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

Wildcards are allowed in the Exception, and should be added in the format:

<cmdline:*portion of commandline*>process
  • It is recommended to start with Rapid Configs in Report mode before changing to Block to allow an opportunity to test changes.
  • Using a more dynamic Exception to start with is recommended. This makes it easier to verify the Exception is properly formatted.
  • Further testing should be done to determine how specific to make the Exception while still allowing desired functionality.
  • Exceptions may need to be adjusted over time depending on changes by 3rd party vendors.

Additional Information

Example: Suspicious Command Line Protection N-Z

  • By default the Sc Command Lines To Report is: 
    <cmdline:*create*>sc.exe
  • This means that anytime the process sc.exe includes create in the command line, the Agent may take action. An example that would trigger this Rapid Config could be: 
    sc create AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal
  • Example of a dynamic Exception: 
    <cmdline:*AcmeSoftware*>sc.exe
  • Example of a more specific Exception: 
    <cmdline:AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal>sc.exe

Example: PowerShell Protection

  • By default the Download Commands portion includes: 
    <cmdline:*.downloadfile*>*
<cmdline:*.downloadstring*>*
<cmdline:*.downloaddata*>*
  • This means that anytime PowerShell uses the Download Command, the Agent may take action. An example that would trigger this Rapid Config could be: 
    C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "& {$webClient = New-Object System.Net.WebClient; $webClient.DownloadString(\"https://acmeserver.local\update\latest\")};"
  • Example of a dynamic Exception: 
    <cmdline:*acmeserver.local*>powershell.exe
  • Example of a more specific Exception: 
    <cmdline:*webClient.DownloadString*acmeserver.local\update\latest*>powershell.exe
Powered by Wolken Software