Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How to Create Policy Blocking & Isolation and Permissions Exclusions

Endpoint Standard: How to Create Policy Blocking & Isolation and Permissions Exclusions

Environment

  • Carbon Black Cloud Console
  • Carbon Black Cloud Sensor: 1.0.6.178 and Higher
    • Endpoint Standard

Objective

Demonstrate syntax for permissions or blocking rules

Resolution

Using Application Path rules is a flexible way to apply a rule to the following:

  1. A specific application path, example: c:\Program Files\MyApp\myapp.exe
  2. All files in a specific folder, example:  c:\Program Files\MyApp\*
  3. All files in a specific folder and sub-folders, example:  c:\Program Files\MyApp\**
  4. All files in a specific sub-folder, when ancestor folder is unknown, example, for any user name: c:\Users\*\Desktop\build\**

These Examples are for MAC:

  • For simple recursive rules, use the following for best sensor performance when defining MAC policies
    /users/*/Documents
  • Recursive Wild Card Matching
    /users/*/Documents/**
  • Recursive Prefix Matching
    /users/*/**/*.dmg
    /Applications/Lion.app/**/*.py
  • Non Recursive Wild Card Matching
    /users/*/Documents/*
  • These two examples result in the same behavior, but the second one is a little cleaner on the syntax
    /Applications/Lion.app/**/*
    /Applications/Lion.app/**
  • This example would indicate exactly 3 level directories and will not match anything in level 2 or 4
    /Applications/Lion.app/*/*/*
    Specifically: /Applications/Lion.app/a/b/c

These examples are for Windows:

Example 1:

  1. **\Program Files\Custom App Suite\App*\App*.exe
  2. **\Program Files\Custom App Suite\**
  3. **\Program Files\Custom App Suite\App*

Example 2:

  1. **\Windows\Microsoft.NET\Framework64\*\mscorsvw.exe
  2. **\Windows\Microsoft.NET\Framework64\*\mscorsvw.*
  3. **\Windows\Microsoft.NET\Framework64\*\ms*.*
  • The first ** is intended to match \\Device\Volume0\ or C:. There is a single * that is intended to match multiple releases number. So this would omit "mscorsvw.exe" from many different folders.
  • If we do * in the end - that would be anything within a directory.  e.g. **\Program Files\Custom App Suite\*
  • If we do ** in the end - that matches anything within the subtree. e.g. **\Program Files\Custom App Suite\**

 

Application Path Rules – different notations:

The following 3 types of notations are supported (this is Mac/Unix example):

1.) File notation:

  • /usr/bin/gcc
      • Note: This is a simple case. The rule will apply only to the single file/application.

2.) Directory Prefix notation:

  • Note: This type of rule will apply to all files and subdirs in a folder recursively. Using the directory prefix notation is the easiest way to apply a rule to all files in a folder and all sub-folders, without using the more complicated Glob Matching notation.
  • Example: /opt/my_dev_tools/
    • Note the trailing path separator to indicate a directory. This is a preferred way of defining a rule to an equivalent Glob Matching / wild-card notation (better performance on the sensor and good practice to minimize * and ** if possible).

3.) Glob Matching / Wild-card notation:

  • The glob matching notation contains at least one single * or double ** asterisk.
  • A single * asterisk will match everything up to the next path separator. It can be applied to generalize a folder or file name.
    • Example: c:\Program Files\Visual Studio 8\*.exe
      • Note: Applies to all files with .exe extensions in c:\Program Files\Visual Studio 8 folder.
    •      Example: c:\Program Files\Visual Studio*\*.exe
      • Note: Applies to files with .exe extensions, in c:\Program Files sub-folders with names starting with “Visual Studio”
  • A double ** asterisk will match everything across multiple path separators, until a match is found. Typically, ** is used to apply a rule to files in sub-directories recursively.
    • Example: **\Program Files\Visual Studio\**
      • Note: Applies to all files in C:\Program Files\Visual Studio and its sub-folders.
    • Example: **\Visual Studio\**
      • Applies to all files in Visual Studio folder and its sub-folders, regardless of the location of the Visual Studio folder.
  • Single * and double ** asterisks can be combined to form a single rule:
    • Example: /Users/*/Desktop/my_dev_tools/**
      • Note: This rule applies to all files in my_dev_tools folder and sub-folders, for any user.

Additional Notes

  • Example: /Users/*/Desktop/build/**
    • Note: Applies to all files in any user’s Desktop/build folder and sub-folders.
  • Example: /Volumes/*/dir1/**/build/**
    • Note: If build folder resides in a less defined location, use more * or ** in the middle of the path. Applies to all files under the build folder, at any mount point, multiple levels under dir1
    • Note: If location is completely fixed, it is possible to use either of:
      • /build/  (using the Directory Prefix notation) or /build/**  ( equivalent to /build/ but using Wildcard Match notation)
  • It is possible to apply a rule to a specific file, regardless of location:
    • Example: **\excluded_executable.exe
  • System variables are allowed
    • %WINDIR%

Related Content


Was this article helpful? Yes No
100% helpful (4/4)
Article Information
Author:
Creation Date:
‎09-08-2020
Views:
20184
Contributors