How to Create Exclusions or Inclusions for VMware Carbon Black Cloud

Summary: Learn how to configure VMware Carbon Black exclusions and inclusions by following these step-by-step instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

VMware Carbon Black uses Reputation and Permission rules to handle next-generation antivirus (NGAV) exclusions (approved lists) and inclusions (banned lists). VMware Carbon Black Standard, VMware Carbon Black Cloud Advanced, and VMware Carbon Black Cloud Enterprise use Endpoint detection and response (EDR). EDR is also affected by Reputation and Permission rules. This article walks administrators through setting these values along with any caveats that may be relevant.

Affected Products:

  • VMware Carbon Black Cloud Prevention
  • VMware Carbon Black Cloud Standard
  • VMware Carbon Black Cloud Advanced
  • VMware Carbon Black Cloud Enterprise

Affected Operating Systems:

  • Windows
  • Mac
  • Linux

VMware Carbon Black Onboarding Part 3: Policies and Groups

Duration: 03:37
Closed captions: Available in multiple languages

VMware Carbon Black Cloud uses a combination of Policies and Reputation to determine what operations take place.

Click the appropriate topic for more information.

Policies

VMware Carbon Black Cloud Prevention policies differ from the policies of VMware Carbon Black Cloud Standard, Advanced, and Enterprise. Click the appropriate product for more information.

Prevention

VMware Carbon Black Cloud Prevention provides a streamlined approach to Permissions Rules and Blocking and Isolation Rules because it does not use EDR.

Note: Additional options are included within VMware Carbon Black Cloud Standard, VMware Carbon Black Cloud Advanced, and VMware Carbon Black Cloud Enterprise. For information about the additional options that affect EDR, reference the Standard, Advanced, and Enterprise section of this article.

Click the appropriate topic for more information.

Permissions Rules

Permissions rules determine what operations applications at specified paths can perform.

Permissions rules are path-based and take precedence over both Blocking and Isolation rules as well as Reputation.

  1. In a web browser, go to [REGION].conferdeploy.net.
    Note: [REGION] = Region of tenant
  2. Sign In to the VMware Carbon Black Cloud.
    Sign in
  3. In the left menu pane, click Enforce.
    Enforce
  4. Click Policies.
    Policies
  5. Select the policy set to modify.
    Selecting a policy set
    Note: The example images use Standard as the policy set chosen to modify.
  6. In the right menu pane, click Prevention.
    Prevention
  7. Click to expand Permissions.
    Permissions
  8. Click to expand Add application path.
    Add application path
  9. Populate the intended path to set a bypass on.
    Setting a bypass
    Note:
    • The example image uses the following paths:
      • *:\program files\dell\dell data protection\**
      • *:\programdata\dell\dell data protection\**
    • In this example, the actions that are applied affect all files on all drives containing the paths \program files\dell\dell data protection\ and \programdata\dell\dell data protection\.
    • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
    • Environment variables such as %WINDIR% are supported.
    • A single asterisk (*) matches all characters within the same directory.
    • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
    • Examples:
      • Windows: **\powershell.exe
      • Mac: /Users/*/Downloads/**
  10. Select the Action to be enforced.
    Selecting an action
    Note:
    • In the example image, operation attempts are given different actions by selecting either Allow or Bypass.
    • When the operation attempt of Performs any operation is selected, this overrides any other operation attempt and disables the selection of any other option.
    • Action definitions:
      • Allow - Allows the behavior in the specified path with information about the action being logged by VMware Carbon Black Cloud.
      • Bypass - All behavior is allowed in the specified path. No information is collected.
  11. Click Save in the upper right, or at the bottom of the page.
    Save
Blocking and Isolation Rules

Blocking and Isolation rules are path-based and take precedence over Reputation. Blocking and Isolation rules allow us to set a "Deny operation" or "Terminate process" action when a specific operation is attempted.

  1. In a web browser, go to [REGION].conferdeploy.net.
    Note: [REGION] = Region of tenant
  2. Sign In to the VMware Carbon Black Cloud.
    Sign In
  3. In the left menu pane, click Enforce.
    Enforce
  4. Click Policies.
    Policies
  5. Select the policy set to modify.
    Selecting a policy set
    Note: The example images use Standard as the policy set chosen to modify.
  6. In the right menu pane, click Prevention.
    Prevention
  7. Click to expand Blocking and Isolation.
    Blocking and Isolation
  8. Populate the application path to set a Blocking and Isolation rule on.
    Populating an application path
    Note:
    • The example image uses excel.exe.
    • The actions set apply to the application with the name excel.exe ran from any directory.
    • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
    • Environment variables such as %WINDIR% are supported.
    • A single asterisk (*) matches all characters within the same directory.
    • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
    • Examples:
      • Windows: **\powershell.exe
      • Mac: /Users/*/Downloads/**
  9. Click Save in the upper right.
    Save
    Note: Terminate process ends the process once the specified operation attempts to run.

Standard, Advanced, and Enterprise

VMware Carbon Black Cloud Standard, VMware Carbon Black Cloud Advanced, and VMware Carbon Black Cloud Enterprise provide options with Permissions Rules, as well as Blocking and Isolation Rules, due to inclusion of EDR.

Click the appropriate topic for more information.

Permissions Rules

Permissions rules determine what operations applications at specified paths can perform.

Permissions rules are path-based and take precedence over both Blocking and Isolation rules as well as Reputation.

  1. In a web browser, go to [REGION].conferdeploy.net.
    Note: [REGION] = Region of tenant
  2. Sign In to the VMware Carbon Black Cloud.
    Sign in
  3. In the left menu pane, click Enforce.
    Enforce
  4. Click Policies.
    Policies
  5. Select the policy set to modify.
    Selecting a policy set
    Note: The example images use Standard as the policy set chosen to modify.
  6. In the right menu pane, click Prevention.
    Prevention
  7. Click to expand Permissions.
    Permissions
  8. Click to expand Add application path.
    Add application path
  9. Populate the intended path to set a bypass on.
    Populating a path
    Note:
    • The example image uses the following paths:
      • *:\program files\dell\dell data protection\**
      • *:\programdata\dell\dell data protection\**
    • In this example, the actions that are applied affect all files on all drives containing the paths \program files\dell\dell data protection\ and \programdata\dell\dell data protection\.
    • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
    • Environment variables such as %WINDIR% are supported.
    • A single asterisk (*) matches all characters within the same directory.
    • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
    • Examples:
      • Windows: **\powershell.exe
      • Mac: /Users/*/Downloads/**
  10. Select the Action to be enforced.
    Selecting an action
    Note:
    • In the example image, operation attempts are given different actions by selecting either Allow, Allow & Log, or Bypass.
    • When the operation attempt of Performs any operation is selected, this overrides any other operation attempt and disables the selection of any other option.
    • Every action except Performs any operation can be applied to multiple operation attempts.
    • Action definitions:
      • Allow - Allows the behavior in the specified path; none of the specified behavior at the path is logged. No data is sent to the VMware Carbon Black Cloud.
      • Allow & Log - Allows the behavior in the specified path; all activity is logged. All data is reported to the VMware Carbon Black Cloud.
      • Bypass - All behavior is allowed in the specified path; nothing is logged. No data is sent to the VMware Carbon Black Cloud.
  11. Click Confirm at the bottom of the Permissions to set the policy change.
    Confirm
  12. Click Save in the upper right.
    Save
Blocking and Isolation Rules

Blocking and Isolation rules are path-based and take precedence over Reputation. Blocking and Isolation rules allow us to set a "Deny operation" or "Terminate process" action when a specific operation is attempted.

  1. In a web browser, go to [REGION].conferdeploy.net.
    Note: [REGION] = Region of tenant
  2. Sign In to the VMware Carbon Black Cloud.
    Sign in
  3. In the left menu pane, click Enforce.
    Enforce
  4. Click Policies.
    Policies
  5. Select the policy set to modify.
    Selecting a policy set
    Note: The example images use Standard as the policy set chosen to modify.
  6. In the right menu pane, click Prevention.
    Prevention
  7. Click to expand Blocking and Isolation.
    Blocking and Isolation
  8. Click to expand Add application path.
    Add application path
  9. Populate the application path to set a Blocking and Isolation rule on.
    Populating an application path
    Note:
    • The example image uses excel.exe.
    • The actions set apply to the application with the name excel.exe ran from any directory.
    • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
    • Environment variables such as %WINDIR% are supported.
    • A single asterisk (*) matches all characters within the same directory.
    • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
    • Examples:
      • Windows: **\powershell.exe
      • Mac: /Users/*/Downloads/**
  10. Select the Action to be taken when the operation attempt is met and then click Confirm.
    Selecting an action
  11. Click Save in the upper right.
    Save
    Note:
    • Deny operation prevents the listed application from performing the specified operation that it attempted to perform.
    • Terminate process ends the process once the specified operation attempts to run.

Reputation

VMware Carbon Black assigns a Reputation to every file that is run on a device with the sensor installed. Pre-existing files begin with an effective reputation of LOCAL_WHITE until run or until the background scan has processed them and gives a more definitive reputation.

Either Add an Application to the Reputation List or reference Reputation Descriptions. Click the appropriate topic for more information.

Add an Application to the Reputation List

An application may be added to the reputation list through either the Reputations Page or the Alerts Page. Click the appropriate option for more information.

Reputations Page
  1. In a web browser, go to [REGION].conferdeploy.net.
    Note: [REGION] = Region of tenant
  2. Sign In to the VMware Carbon Black Cloud.
    Sign in
  3. In the left menu pane, click Enforce.
    Enforce
  4. Click Reputation.
    Reputation

An administrator may add an application to the reputation list using the SHA256 Hash, IT Tool, or Signing Certificate. Click the appropriate option for more information.

SHA256 Hash
Note: Files must be known to the VMware Carbon Black Cloud by being seen within the environment, and the SHA256 hash being processed by the VMware Carbon Black Cloud. New applications may take some time after their first detection before they are known to the VMware Carbon Black Cloud. This may result in the Approved List or Banned List not being immediately assigned to an affected file.
  1. Click Add.
    Add
  2. From Add Reputation:
    1. Select Hash for the Type.
    2. Select either Approved List or Banned List for the List.
    3. Populate the SHA-256 hash.
    4. Populate a Name for the entry.
    5. Optionally, populate Comments.
    6. Click Save.
    Add Reputation menu
    Note:
    • Approved List automatically sets any affected and known file to have a reputation of Company Approved.
    • Banned List automatically sets any affected and known file to have a reputation of Company Banned.
IT Tool
  1. Click Add.
    Add
  2. From Add Reputation:
    1. Select IT Tools for the Type.
    2. Populate the relative Path of trusted IT tool.
    3. Optionally, select Include all child processes.
    4. Optionally, populate Comments.
    5. Click Save.
    Add Reputation menu
    Note:
    • IT Tools may only be added to the Approved List. Approved List automatically sets any affected and known file to have a reputation of Local White.
    • The option Include all child processes notes that, if selected, all files that are dropped by child processes of the newly defined trusted IT tool also receive the initial trust.
    • Relative paths for IT tools indicate that the path defined can be fulfilled by the defined pathing.

Example:

For the following examples, the Path of trusted IT tool is set to:

  • \sharefolder\folder2\application.exe

If an administrator attempts to run the file in these locations, the exclusion succeeds:

  • \\server\tools\sharefolder\folder2\application.exe
  • D:\ITTools\sharefolder\folder2\application.exe

If an administrator attempts to run the file in these locations, the exclusion fails:

  • E:\folder2\application.exe
  • H:\sharefolder\application.exe

In the failed examples, the path cannot be fulfilled entirely.

Signing Certificate
  1. Click Add.
    Add
  2. From Add Reputation:
    1. Select Certs for the Type.
    2. Populate the Signed by field.
    3. Optionally, populate the Certificate Authority.
    4. Optionally, populate the Comments.
    5. Click Save.

Add Reputation menu

Note:
Alerts Page
  1. In a web browser, go to [REGION].conferdeploy.net.
    Note: [REGION] = Region of tenant
  2. Sign In to the VMware Carbon Black Cloud.
    Sign in
  3. Click Alerts.
    Alerts
  4. Select the chevron next to the alert to approve the application.
    Selecting the alert
  5. Click Show all under the Remediation subsection.
    Show all
  6. Click to Add the file to either the banned list or to the approved list depending on whether the hash is untrusted or trusted.
    Adding the file to the banned list or approved list
    Note: The signing certificate may be added so that other applications that share this certificate are added automatically to the local approved list.

Reputation Descriptions

Priority Reputation Reputation Search Value Description
1 Ignore IGNORE Self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run.
  • Highest Priority
  • Files have full permissions to run by Carbon Black, typically Carbon Black products
2 Company Approved List COMPANY_WHITE_LIST Hashes manually added into the Company Approved List by going to Enforce, then Reputations
3 Company Banned List COMPANY_BLACK_LIST Hashes manually added into the Company Banned List by going to Enforce, then Reputations
4 Trusted Approved List TRUSTED_WHITE_LIST Known good by Carbon Black from either the cloud, local scanner, or both
5 Known Malware KNOWN_MALWARE Known bad by Carbon Black from either the cloud, local scanner, or both
6 Suspect/Heuristic Malware SUSPECT_MALWARE HEURISTIC Suspect malware that is detected by Carbon Black, but not necessarily malicious
7 Adware/PUP Malware ADWARE PUP Adware and Potentially Unwanted Programs that are detected by Carbon Black
8 Local White LOCAL_WHITE The file has met any of the following conditions:
  • Files pre-existing before the sensor install
  • Files added to the Approved List in IT Tools by going to Enforce, then Reputations
  • Files added to the Approved List in Certs by going to Enforce, then Reputations
9 Common Approved List COMMON_WHITE_LIST The file has met any of the following conditions:
  • Hash not on any known good or known bad lists and the file is signed
  • Hash previously analyzed and is not on any known good or known bad lists
10 Not Listed/Adaptive Approved List NOT_LISTEDADAPTIVE_WHITE_LIST The Not Listed reputation indicates that after the sensor checks the application hash with Local Scanner or Cloud, no record can be found about it - it is not listed in the reputation database.
  • Cloud: Hash not previously seen
  • Local scanner: Not known bad, configured in policy
11 Unknown RESOLVING The Unknown reputation indicates that there is no response from any of the reputation sources the sensor uses.
  • Lowest Priority
  • The sensor observes file drop but does not yet have a reputation from the cloud or local scanner

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

VMware Carbon Black
Article Properties
Article Number: 000182859
Article Type: How To
Last Modified: 15 Jul 2025
Version:  33
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.