Unexpected Block when Using Authenticated Users with SID S-1-5-21

search cancel

Unexpected Block when Using Authenticated Users with SID S-1-5-21

book

Article ID: 402468

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

Creating a custom rule with Authenticated Users results in a block for a user with SID S-1-5-12 (Restricted Code)

Environment

Carbon Black Application Control: All Versions
Microsoft Windows: All Versions

Cause

Restricted Code users do not fall under Authenticated Users.

Resolution

Use Any User in the custom rule for correct expansion.

Using Authenticated Users within a Custom Rule could result in unnecessary rule expansion increasing the overall rules count when multiple users log-in simultaneously (e.g. RDS servers)

- The Custom Rule will expand into separate rule for every user that is currently logged in
- Custom Rules with multiple File or Process paths will expand exponentially because of this
- Authenticated Users provides little benefit over using Any User in a Custom Rule, but a rule with Any User expands only once for all currently logged in users

Additional Information

MS security identifiers

What Custom Rules Should Be Avoided

Feedback

thumb_up Yes

thumb_down No