App Control: What is "Rule Expansion"?
search cancel

App Control: What is "Rule Expansion"?

book

Article ID: 290766

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

What is "Rule Expansion" as it relates to App Control agents, and how does this impact performance on an endpoint?

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

A scenario that occasionally comes up, is when the addition of a Custom Rule winds up having a negative impact on the performance of an endpoint. The primary reason this can happen (assuming the rule syntax is correct) is what happens behind the scenes for a Custom Rule; rule expansion. A scenario could look something like this:

There are several processes, doing actions on files in several locations, and we try and restrict the use of those processes to several users.  A real-world example would be "My developers are checking out code with several tools, and those tools put files all over the place".

In the App Control Console, for a Custom Rule, we might want to create a rule that looks like:

User-added image

For this simple example, there are 4 paths, 4 processes, and 4 users.  If we save that, from the App Control Console, it appears as if there is just 1 rule created. However, in order for the agent to digest that, a process called rule expansion actually converts that rule into 64 rules (4 x 4 x 4) because we have to account for all of the combinations of those users/paths/processes. This is a small example, but we've easily seen Custom Rules created with 30 paths, 20 processes, and 25 users = 15,000 rules! Not only would each agent need to download 15,000 rules from the server, but many of the endpoint operations now need to be analyzed against 15,000 rules to see if there is a match.

Something to consider when creating your Custom Rules!  In practice, we don't recommend having more than a few thousand expanded Custom Rules for agents to have to enforce.  When possible, also narrow scope by Policy so that not all agents are impacted.