This article provides guidance on properly formatting a Command Line Exception in a Rapid Config.

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions

• It is recommended to start with Rapid Configs in Report mode before changing to Block to allow an opportunity to test changes.
• Using a more dynamic Exception to start with is recommended. This makes it easier to verify the Exception is properly formatted.
• Further testing should be done to determine how specific to make the Exception while still allowing desired functionality.
• Exceptions may need to be adjusted over time depending on changes by 3rd party vendors.

Example: Suspicious Command Line Protection N-Z

• By default the Sc Command Lines To Report is:

  <cmdline:*create*>sc.exe

• This means that anytime the process sc.exe includes create in the command line, the Agent may take action. An example that would trigger this Rapid Config could be:

  sc create AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal

• Example of a dynamic Exception:

  <cmdline:*AcmeSoftware*>sc.exe

• Example of a more specific Exception:

  <cmdline:AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal>sc.exe

Example: PowerShell Protection

• By default the Download Commands portion includes:

  <cmdline:*.downloadfile*>*
  <cmdline:*.downloadstring*>*
  <cmdline:*.downloaddata*>*

• This means that anytime PowerShell uses the Download Command, the Agent may take action. An example that would trigger this Rapid Config could be:

  C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "& {$webClient = New-Object System.Net.WebClient; $webClient.DownloadString(\"https://acmeserver.local\update\latest\")};"

• Example of a dynamic Exception:

  <cmdline:*acmeserver.local*>powershell.exe

• Example of a more specific Exception:

  <cmdline:*webClient.DownloadString*acmeserver.local\update\latest*>powershell.exe