Using Wildcards in Policy Rules
Article ID: 291417
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
This document provides information on how to use wildcards in policy rules
Environment
- Carbon Black Cloud Console(formerly PSC): All Versions
- Carbon Black Cloud Sensor: All Supported Versions
- Endpoint Standard (formerly CB Defense)
- Enterprise EDR (formerly CB ThreatHunter)
- Audit & Remediation (formerly CB LiveOps)
- Microsoft Windows: All Supported Versions
- Apple MacOS: All Supported Versions
Resolution
| Wildcard | Description | Example |
|---|---|---|
| ** | Matches a partial path across all sub-directory levels and is recursive. A double asterisk ** will match everything in a directory and all sub-directories included within up to the next explicit portion of the path. | C:\Python27\Lib\site-packages\** Matches any files in that directory and all sub-directories. |
| * |
Matches 0 or more consecutive characters up to a single sub-directory level. A single asterisk * will match everything up to the next path separator or explicit portion of the path and can be applied to generalize a folder or file name. | C:\program files*\custom application\*.exe Matches any executable files in: c:\program files\custom application\ |
| ? | Matches 0 or 1 character in that position. | C:\Program Files\Microsoft Visual Studio 1?.0\** Matches any files in the MS Visual Studio version 1 or versions 10-19. |
-
Additional Examples
| Rule | Folders/Files Covered | Folders/Files Not Covered |
|---|---|---|
| C:\Program Files\**\scanner\*.exe | C:\Program Files\folder1\scanner\<AnyExecutable> C:\Program Files\folder1\folder2\scanner\<AnyExecutable> C:\Program Files\folder1\folder2\folder3\scanner\<AnyExecutable> | C:\Program Files\folder1\NotScanner\<AnyExecutable> C:\Program Files\folder1\folder2\NotScanner\<AnyExecutable> C:\Program Files\folder1\folder2\folder3\NotScanner\<AnyExecutable> |
| *:\Program Files*\*\scanner\*.exe | C:\Program Files\folder1\scanner\<AnyExecutable> C:\Program Files (x86)\folder1\scanner\<AnyExecutable> D:\Program Files\folder1\scanner\<AnyExecutable> D:\Program Files (x86)\folder1\scanner\<AnyExecutable> | C:\Program Files\folder1\NotScanner\<AnyExecutable> C:\Program Files (x86)\folder1\NotScanner\<AnyExecutable> D:\Program Files\folder1\NotScanner\<AnyExecutable> D:\Program Files (x86)\folder1\NotScanner\<AnyExecutable> |
| C:\Program Files\scanner\* | C:\Program Files\scanner\<AnyFile> | C:\Program Files\scanner\folder1\<AnyFile> C:\Program Files\scanner\folder1\folder2\<AnyFile> |
| C:\Program Files\scanner\** | C:\Program Files\scanner\folder1\<AnyFile> C:\Program Files\scanner\folder1\folder2\<AnyFile> C:\Program Files\scanner\folder1\folder2\folder3\<AnyFile> | D:\Program Files\scanner\folder1\<AnyFile> |
| C:\Program Files\scanner\scanner 1?.0.exe | C:\Program Files\scanner\scanner 10.0.exe C:\Program Files\scanner\scanner 11.0.exe C:\Program Files\scanner\scanner 12.0.exe | C:\Program Files\scanner\scanner 2.0.exe C:\Program Files\scanner\scanner 100.0.exe |
| *:\Program Files*\scanner\scanner ?.0.exe | C:\Program Files\scanner\scanner 1.0.exe D:\Program Files\scanner\scanner 5.0.exe C:\Program Files (x86)\scanner\scanner 1.0.exe D:\Program Files (x86)\scanner\scanner 5.0.exe | C:\Program Files (x86)\scanner\scanner 1.1.exe D:\Program Files\scanner\scanner.exe |
Additional Information
Operating system environmental variables can be used as part of a policy rule in a path. For example:
%WINDIR%.Feedback
Yes
No
Powered by
