logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Endpoint Standard: How to Create Policy Blocking & Isolation and Permissions Exclusions

Endpoint Standard: How to Create Policy Blocking & Isolation and Permissions Exclusions

Environment

  • Carbon Black Cloud Console
  • Carbon Black Cloud Sensor: 1.0.6.178 and Higher
    • Endpoint Standard

Objective

Demonstrate syntax for permissions or blocking rules

Resolution

Using Application Path rules is a flexible way to apply a rule to the following:

  1. A specific application path, example: c:\Program Files\MyApp\myapp.exe
  2. All files in a specific folder, example:  c:\Program Files\MyApp\*
  3. All files in a specific folder and sub-folders, example:  c:\Program Files\MyApp\**
  4. All files in a specific sub-folder, when ancestor folder is unknown, example, for any user name: c:\Users\*\Desktop\build\**

These Examples are for MAC:

  • For simple recursive rules, use the following for best sensor performance when defining MAC policies 
    /users/*/Documents
  • Recursive Wild Card Matching 
    /users/*/Documents/**
  • Recursive Prefix Matching 
    /users/*/**/*.dmg
/Applications/Lion.app/**/*.py
  • Non Recursive Wild Card Matching 
    /users/*/Documents/*
  • These two examples result in the same behavior, but the second one is a little cleaner on the syntax 
    /Applications/Lion.app/**/*
/Applications/Lion.app/**
  • This example would indicate exactly 3 level directories and will not match anything in level 2 or 4 
    /Applications/Lion.app/*/*/*
Specifically: /Applications/Lion.app/a/b/c

These examples are for Windows:

Example 1:

  1. **\Program Files\Custom App Suite\App*\App*.exe
  2. **\Program Files\Custom App Suite\**
  3. **\Program Files\Custom App Suite\App*

Example 2:

  1. **\Windows\Microsoft.NET\Framework64\*\mscorsvw.exe
  2. **\Windows\Microsoft.NET\Framework64\*\mscorsvw.*
  3. **\Windows\Microsoft.NET\Framework64\*\ms*.*
  • The first ** is intended to match \\Device\Volume0\ or C:. There is a single * that is intended to match multiple releases number. So this would omit "mscorsvw.exe" from many different folders.
  • If we do * in the end - that would be anything within a directory.  e.g. **\Program Files\Custom App Suite\*
  • If we do ** in the end - that matches anything within the subtree. e.g. **\Program Files\Custom App Suite\**

 

Application Path Rules – different notations:

The following 3 types of notations are supported (this is Mac/Unix example):

1.) File notation:

  • /usr/bin/gcc
      • Note: This is a simple case. The rule will apply only to the single file/application.

2.) Directory Prefix notation:

  • Note: This type of rule will apply to all files and subdirs in a folder recursively. Using the directory prefix notation is the easiest way to apply a rule to all files in a folder and all sub-folders, without using the more complicated Glob Matching notation.
  • Example: /opt/my_dev_tools/
    • Note the trailing path separator to indicate a directory. This is a preferred way of defining a rule to an equivalent Glob Matching / wild-card notation (better performance on the sensor and good practice to minimize * and ** if possible).

3.) Glob Matching / Wild-card notation:

  • The glob matching notation contains at least one single * or double ** asterisk.
  • A single * asterisk will match everything up to the next path separator. It can be applied to generalize a folder or file name.
    • Example: c:\Program Files\Visual Studio 8\*.exe
      • Note: Applies to all files with .exe extensions in c:\Program Files\Visual Studio 8 folder.
    •      Example: c:\Program Files\Visual Studio*\*.exe
      • Note: Applies to files with .exe extensions, in c:\Program Files sub-folders with names starting with “Visual Studio”
  • A double ** asterisk will match everything across multiple path separators, until a match is found. Typically, ** is used to apply a rule to files in sub-directories recursively.
    • Example: **\Program Files\Visual Studio\**
      • Note: Applies to all files in C:\Program Files\Visual Studio and its sub-folders.
    • Example: **\Visual Studio\**
      • Applies to all files in Visual Studio folder and its sub-folders, regardless of the location of the Visual Studio folder.
  • Single * and double ** asterisks can be combined to form a single rule:
    • Example: /Users/*/Desktop/my_dev_tools/**
      • Note: This rule applies to all files in my_dev_tools folder and sub-folders, for any user.

Additional Notes

  • Example: /Users/*/Desktop/build/**
    • Note: Applies to all files in any user’s Desktop/build folder and sub-folders.
  • Example: /Volumes/*/dir1/**/build/**
    • Note: If build folder resides in a less defined location, use more * or ** in the middle of the path. Applies to all files under the build folder, at any mount point, multiple levels under dir1
    • Note: If location is completely fixed, it is possible to use either of:
      • /build/  (using the Directory Prefix notation) or /build/**  ( equivalent to /build/ but using Wildcard Match notation)
  • It is possible to apply a rule to a specific file, regardless of location:
    • Example: **\excluded_executable.exe
  • System variables are allowed
    • %WINDIR%

Related Content


Was this article helpful? Yes No
100% helpful (4/4)
Article Information
Author:
CB_Support
Creation Date:
‎09-08-2020
Views:
20473
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.