Using Command Line Exceptions
search cancel

Using Command Line Exceptions


Article ID: 288698


Updated On:


Carbon Black App Control (formerly Cb Protection)


This article provides guidance on properly formatting a Command Line Exception in a Rapid Config.


  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions


Wildcards are allowed in the Exception, and should be added in the format:

<cmdline:*portion of commandline*>process


NOTE: If the Command Line Column is not available in Reports Events:

  1. Navigate to Settings > Login Accounts > User Roles > relevant Role > View Details (pencil icon)
  2. Add the Permission: View process command lines

Additional Information

  • It is recommended to start with Rapid Configs in Report mode before changing to Block to allow an opportunity to test changes.
  • Using a more dynamic Exception to start with is recommended. This makes it easier to verify the Exception is properly formatted.
  • Further testing should be done to determine how specific to make the Exception while still allowing desired functionality.
  • Exceptions may need to be adjusted over time depending on changes by 3rd party vendors.

Example: Suspicious Command Line Protection N-Z

  • By default the Sc Command Lines To Report is:
  • This means that anytime the process sc.exe includes create in the command line, the Agent may take action. An example that would trigger this Rapid Config could be:
    sc create AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal
  • Example of a dynamic Exception:
  • Example of a more specific Exception:
    <cmdline:AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal>sc.exe

Example: PowerShell Protection

  • By default the Download Commands portion includes:
  • This means that anytime PowerShell uses the Download Command, the Agent may take action. An example that would trigger this Rapid Config could be:
    C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "& {$webClient = New-Object System.Net.WebClient; $webClient.DownloadString(\"https://acmeserver.local\update\latest\")};"
  • Example of a dynamic Exception:
  • Example of a more specific Exception: