Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Objective
To properly format a Command Line Exclusion in a Rapid Config.
Resolution
Command Line Exclusions (or exceptions) should be added in the format:
<cmdline:*portion of commandline*>process
Example with the Rapid Config Suspicious Command Line Protection N-Z:
This Rapid Config monitors for command lines related to sc.exe by default using:
<cmdline:*create*>sc.exe
This means that anytime the process sc.exe includes create in the command line, the Agent may take action. For instance, this command line would trigger the Rapid Config:
sc create AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal
So a potentially very dynamic Exclusion would become:
<cmdline:*AcmeSoftware*>sc.exe
While a very specific Exclusion would become:
<cmdline:AcmeSoftware binPath=C:\Windows\System32\Drivers\AcmeSoftware.sys type=kernel start=boot error=normal>sc.exe
Additional Notes
- Further testing should be done to determine how specific to make the Exclusion while still allowing desired functionality.
- Exclusions may need to be adjusted over time depending on changes by 3rd party vendors.
- It is recommended to start with Rapid Configs in Report mode before changing to Block to allow an opportunity to test changes.
Related Content
