How to Configure Policy Rules
search cancel

How to Configure Policy Rules

book

Article ID: 291851

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Create policy rules for permission or blocking.

#%$Endpoint Standard Sensor Versions 1.0.6.178 and greater support using drive letters in the policy rules along with the * and ** syntax described below. MAC OS is unaffected.#%$

Environment

  • Carbon Black Cloud Console: All Versions (Formerly CB Defense PSC)
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Resolution

Permissions Rule

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy
  4. Scroll down to the Permissions section
  5. Click Add application path
  6. Enter the path of the desired application
  7. Select the desired Operation Attempt
  8. Select the desired Action
  9. Click the Confirm button
  10. Click Save (top or bottom of the page)

Blocking and Isolation Rule (Reputation Based)

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy
  4. Scroll down to the Blocking and Isolation section
  5. Click Edit (pencil icon) for the desired Reputation
  6. Select the desired Operation Attempt
  7. Select the desired Action
  8. Click the Confirm button
  9. Click Save (top or bottom of the page)

Blocking and Isolation Rule (Path Based)

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy
  4. Scroll down to the Blocking and Isolation section
  5. Click Add application path
  6. Enter the path of the desired application
  7. Select the desired Operation Attempt
  8. Select the desired Action
  9. Click the Confirm button
  10. Click Save (top or bottom of the page)

Additional Information

Policy Creation and General Use Guidelines

  • Create a Test Policy with one or more devices to test a Permissions or Blocking and Isolation rule
    If a rule is added that is not correct and has not been tested, it will affect every machine in that Policy
    Once testing has been completed, it is then recommended to place the rule into a production Policy
  • Policies are not 100% effective, it is imperative to test prior to implementation in production
  • Record updates to Policies to be able to revert changes when needed
  • Custom Policy rules supersede whitelisted and blacklisted objects/hashes
  • Policy Rules can be tested by selecting Test Rule next to the desired Operation Attempt