Using Wildcards in App Control
search cancel

Using Wildcards in App Control

book

Article ID: 286791

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

This article provides guidance for wildcard usage in Custom Rules and how to verify wildcards in File or Process paths.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

Wildcards in Custom Rules

App Control recognizes the following wildcard characters:

  • Multiple Characters: * 
    Example: C:\ProgramData\AccountingSoftware\*.dll
  • Single Character: ? 
    Example: C:\ProgramData\AccountingSoftware\version??.??\*.dll
  • Ending a Path: Ending a path with a backslash will be recursive through all files, folders, and subfolders. The two paths in the example below would be identical 
    Example One: C:\ProgramData\AccountingSoftware\
Example Two: C:\ProgramData\AccountingSoftware\*
  • Specifying a Directory: App Control will treat any path that does not end with a backslash as a file name. 
    Valid Directory: C:\ProgramData\AccountingSoftware\
Not a Valid Directory: C:\ProgramData\AccountingSoftware
  • Using With Macros: Wildcards are not allowed in a Macro Condition, but can be used in a Macro Value. 
    Macro Structure: <OnlyIf:Condition:Value>
Example: <OnlyIf:Hostname:*FileServer0?>*\temp\*.txt

Verifying wildcards in File or Process paths:

Using the testpattern command it is possible to test a path as entered in the Custom Rule against an actual path on the endpoint. This command:

  • requires authentication with the Agent.
  • compares against an existing, full path on the machine.
  • entered using the following pattern: 
    testpattern <Test Path> <Actual Path>
  1. Verify the relevant path in the Custom Rule.
  2. Log in to the endpoint and in a command prompt issue the following commands:
    • Windows: 
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalCLIPassword
dascli testpattern "C:\ProgramData\Acme Accounting\*.dll" "C:\ProgramData\Acme Accounting\math.dll"
    • macOS: 
      cd "/Applications/Bit9/Tools"
./b9cli --password GlobalCLIPassword
./b9cli --testpattern "/Library/Application Support/Acme Accounting/*.sh" "/Library/Application Support/Acme Accounting/math.sh"
    • Linux: 
      cd /opt/bit9/bin
./b9cli --password GlobalPassword
./b9cli --testpattern "/opt/Acme Accounting/*.sh" "/opt/Acme Accounting/math.sh"
  3. The Agent will expand the Test Pattern provided and return results similar to: 
    Expanded Pattern: /opt/Acme Accounting/*.sh
    Normalized Filename: /opt/Acme Accounting/math.sh
    Match

Wildcards are not supported in:

  • Alert Criteria does not support wildcards. Instead, consider using Criteria such as, "begins with" or "contains".
  • The "User or Group" field in Custom Rules do not support wildcards. This field will map to an actual user or group on the computer or network.
  • Inside a Path Macro, each Path macro would have to be included. Examples:
    • Not Supported: 
      <ProgramFiles*>\AcmeAccounting\*.exe
    • Supported: 
      <ProgramFilesx86>\AcmeAccounting\*.exe
      <ProgramFiles>\AcmeAccounting\*.exe

Additional Information

  • System Variables (%username%) are not recognized by App Control.
  • The asterisk will be recursive through all directories and subdirectories.
  • Any path that has no slash or drive letter has "*\" (for Windows) or "*/" (for Mac and Linux) added at the beginning of the path.
  • Case Sensitivity of paths is dictated by the Operating System.
  • More information can be found in the User Guide chapter, "Custom Software Rules" found on VMware Docs > Server Documentation > User Guide.
Powered by Wolken Software