App Control: How To Format Command Line Exclusions
search cancel

App Control: How To Format Command Line Exclusions

book

Article ID: 288698

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

To properly format a Command Line Exclusion in a Rapid Config.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

Command Line Exclusions (or exceptions) should be added in the format:
<cmdline:*portion of commandline*>process

Example with the Rapid Config Suspicious Command Line Protection N-Z:

This Rapid Config monitors for command lines related to sc.exe by default using:
<cmdline:*create*>sc.exe
This means that anytime the process sc.exe includes create in the command line, the Agent may take action. For instance, this command line would trigger the Rapid Config:
sc create AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal
So a potentially very dynamic Exclusion would become:
<cmdline:*AcmeSoftware*>sc.exe
While a very specific Exclusion would become:
<cmdline:AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal>sc.exe

Additional Information

  • Further testing should be done to determine how specific to make the Exclusion while still allowing desired functionality.
  • Exclusions may need to be adjusted over time depending on changes by 3rd party vendors.
  • It is recommended to start with Rapid Configs in Report mode before changing to Block to allow an opportunity to test changes.