App Control: How To Format Command Line Exclusions
search cancel

App Control: How To Format Command Line Exclusions


Article ID: 288698


Updated On:


Carbon Black App Control (formerly Cb Protection)


To properly format a Command Line Exclusion in a Rapid Config.


  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions


Command Line Exclusions (or exceptions) should be added in the format:
<cmdline:*portion of commandline*>process

Example with the Rapid Config Suspicious Command Line Protection N-Z:

This Rapid Config monitors for command lines related to sc.exe by default using:
This means that anytime the process sc.exe includes create in the command line, the Agent may take action. For instance, this command line would trigger the Rapid Config:
sc create AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal
So a potentially very dynamic Exclusion would become:
While a very specific Exclusion would become:
<cmdline:AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal>sc.exe

Additional Information

  • Further testing should be done to determine how specific to make the Exclusion while still allowing desired functionality.
  • Exclusions may need to be adjusted over time depending on changes by 3rd party vendors.
  • It is recommended to start with Rapid Configs in Report mode before changing to Block to allow an opportunity to test changes.