Environment
- Carbon Black Cloud Console: All Versions (Formerly CB Defense PSC)
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Objective
Create policy rules for permission or blocking.
Endpoint Standard Sensor Versions 1.0.6.178 and greater support using drive letters in the policy rules along with the * and ** syntax described below. MAC OS is unaffected.
Resolution
Permissions Rule
- Log into the Carbon Black Cloud Console
- Go to Enforce > Policies
- Select the desired Policy
- Scroll down to the Permissions section
- Click Add application path
- Enter the path of the desired application
- Select the desired Operation Attempt
- Select the desired Action
- Click the Confirm button
- Click Save (top or bottom of the page)
Blocking and Isolation Rule (Reputation Based)
- Log into the Carbon Black Cloud Console
- Go to Enforce > Policies
- Select the desired Policy
- Scroll down to the Blocking and Isolation section
- Click Edit (pencil icon) for the desired Reputation
- Select the desired Operation Attempt
- Select the desired Action
- Click the Confirm button
- Click Save (top or bottom of the page)
Blocking and Isolation Rule (Path Based)
- Log into the Carbon Black Cloud Console
- Go to Enforce > Policies
- Select the desired Policy
- Scroll down to the Blocking and Isolation section
- Click Add application path
- Enter the path of the desired application
- Select the desired Operation Attempt
- Select the desired Action
- Click the Confirm button
- Click Save (top or bottom of the page)
Additional Notes
Policy Creation and General Use Guidelines
- Create a Test Policy with one or more devices to test a Permissions or Blocking and Isolation rule
If a rule is added that is not correct and has not been tested, it will affect every machine in that Policy
Once testing has been completed, it is then recommended to place the rule into a production Policy - Policies are not 100% effective, it is imperative to test prior to implementation in production
- Record updates to Policies to be able to revert changes when needed
- Custom Policy rules supersede whitelisted and blacklisted objects/hashes
- Policy Rules can be tested by selecting Test Rule next to the desired Operation Attempt
Related Content