App Control: <CmdlineAnyArgument>: Macro Fails When Using Multiple Arguments
search cancel

App Control: <CmdlineAnyArgument>: Macro Fails When Using Multiple Arguments

book

Article ID: 289116

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

When using the <CmdLineAnyArgument:X> macro with multiple arguments in a custom rule process, the rule does not tag the matching events correctly.

Environment

  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

<CmdLineAnyArgument:X> macro is being applied to each token in cmdline and it will try to match against two tokens due to the space between multiple arguments

Resolution

Use the <CmdLine:X> macro, it is able to support multiple arguments in the same command line value

Additional Information

  • An additional investigation is being launched into the usage of the <CmdLineAnyArgument:X> macro to validate and fix this issue. No update available at this time.
  • Example of using <CmdLine:X> macro because there are multiple arguments:  
    <OnlyIf:Bit9Version:Atleast:8.0.0.0><CmdLine:Get-WinEvent -LogName>cmd.exe
Powered by Wolken Software