Per-User Custom Rules Don't Work When a Command is Invoked with "Run As"
search cancel

Per-User Custom Rules Don't Work When a Command is Invoked with "Run As"

book

Article ID: 396614

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

Agent version 8.10.0 introduced a configuration change that improves performance by disabling the stall of file operations when expanding Custom Rules on a new user login.

Environment

  • App Control Agent: 8.10.0+

Cause

Introduced a configuration that disables stalling of operations when a new user SID is encountered and there is not enough time between the login and the file execution to allow Custom rules to expand (e.g. "Run as") 

Resolution

Warning: This config should only be applied to a specific agent or a specific policy. Enabling the config on all agents could result in severe performance issues

Change the Agent Config that enables stalling of operations until Custom Rules are expanded for the "new user":

  1. Log in to the Console and navigate to https://<ServerAddress>/agent_config.php
  2. Click Show Filters > Value > contains > kernelExpandRulesTimeoutMs
  3. Click Apply
    1. If a result is returned: Click View Details (pencil icon) and modify the Value to match: 
      kernelExpandRulesTimeoutMs=1000
    2. If no result is returned: Click Add Agent Config and use the following details
      • Name: Rule Expansion Timeout
      • Host ID: <0 for all or use the specific agent ID e.g. 1234>
      • Value: 
        kernelExpandRulesTimeoutMs=1000
      • Platform: Windows
      • Create For: <Relevant Policies>
    3. Save all changes.
  4. Verify Agent shows as Connected and Up to Date before testing again.

Additional Information

  • Testing should be completed to determine the minimum "TimeoutMs" possible in the environment, which allows the run-as to function.
    • For example, if the value 1000 works, try reducing it by a few hundred. If this value is no working raise it to 2000 or higher until it works. 
    • Find the minimum stall time required for the environment.
    • If a higher value is needed and causing performance issues, consider tuning rules and reducing what needs to be expanded. Balancing Narrow Patterns and Rule Expansion
  • If the rule works when set to "Any User" this is a good indicator the rule is not expanding in time. 
  • Adding additional per-user rules can cause this setting to extend. 
  • 8.10.0 Agents by default now have the kernelExpandRulesTimeoutMs set to 0. 
Powered by Wolken Software