Security Connect 2021 is coming Jun 3. Register for free today!

Carbon Black Cloud: How to Configure Policy Rules

Carbon Black Cloud: How to Configure Policy Rules

Environment

  • Carbon Black Cloud Console: All Versions (Formerly CB Defense PSC)
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Objective

Create policy rules for permission or blocking.

Cb Defense Windows Sensor Versions 1.0.6.178 and greater support using drive letters in the policy rules along with the * and ** syntax described below. MAC OS is unaffected.


Resolution

Permissions Rule

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy
  4. Scroll down to the Permissions section
  5. Click Add application path
  6. Enter the path of the desired application
  7. Select the desired Operation Attempt
  8. Select the desired Action
  9. Click the Confirm button
  10. Click Save (top or bottom of the page)

Blocking and Isolation Rule (Reputation Based)

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy
  4. Scroll down to the Blocking and Isolation section
  5. Click Edit (pencil icon) for the desired Reputation
  6. Select the desired Operation Attempt
  7. Select the desired Action
  8. Click the Confirm button
  9. Click Save (top or bottom of the page)

Blocking and Isolation Rule (Path Based)

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy
  4. Scroll down to the Blocking and Isolation section
  5. Click Add application path
  6. Enter the path of the desired application
  7. Select the desired Operation Attempt
  8. Select the desired Action
  9. Click the Confirm button
  10. Click Save (top or bottom of the page)

Additional Notes

Policy Creation and General Use Guidelines

  • Create a Test Policy with one or more devices to test a Permissions or Blocking and Isolation rule
    If a rule is added that is not correct and has not been tested, it will affect every machine in that Policy
    Once testing has been completed, it is then recommended to place the rule into a production Policy
  • Policies are not 100% effective, it is imperative to test prior to implementation in production
  • Record updates to Policies to be able to revert changes when needed
  • Custom Policy rules supersede whitelisted and blacklisted objects/hashes
  • Policy Rules can be tested by selecting Test Rule next to the desired Operation Attempt

 

Related Content


Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Author:
Creation Date:
‎09-17-2018
Views:
4903
Contributors