Verify Wildcards and Macros In Paths
Article ID: 288717
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
How to use the Agent to verify the Macro or Wildcard will expand to correctly match the desired path on the endpoint.
Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
- Microsoft Windows: All Supported Versions
- Linux OS: All Supported Versions
- MacOS: All Supported Versions
Resolution
Reminders:
|
Using testpattern With Wildcard or Path Macros:
- Use a command prompt or Terminal to switch into the Agent directory and authenticate via dascli or b9cli, example:
cd "C:\Program Files (x86)\Bit9\Parity Agent" dascli password GlobalCLIPassword
- Use the testpattern command to compare the Custom Rule path against the existing path on the endpoint, example:
dascli testpattern "<CommonAppData>Acme Accounting\*.dll" "C:\ProgramData\Acme Accounting\math.dll"
- Review the results and verify the Expanded Pattern and Normalized Filename match, example:
Expanded Pattern: \\?\globalroot\device\harddiskvolume3\programdata\acme accounting\*.dll
Normalized Filename: \\?\globalroot\device\harddiskvolume3\programdata\acme accounting\math.dll
Match
Using testpattern With OnlyIf Macros:
- Use a command prompt or Terminal to switch into the Agent directory and authenticate via dascli or b9cli, example:
cd "C:\Program Files (x86)\Bit9\Parity Agent" dascli password GlobalCLIPassword
- Use the testpattern command to compare the OnlyIf Macro accordingly, example:
dascli testpattern "<OnlyIf:HostName:*BSMITH-1*>C:\Windows\System32\WindowsPowerShell\*powershell*.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"
- Review the results and verify the Expanded Pattern and Normalized Filename match, example results due to a mismatch in hostname:
Failed to expand pattern: HostName
Additional Information
Feedback
Yes
No
Powered by
