Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Article Number: 000182859

How to Create Exclusions or Inclusions for VMware Carbon Black Cloud

Summary: VMware Carbon Black exclusions and inclusions may be configured by following these instructions.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Instructions

VMware Carbon Black uses Reputation and Permission rules to handle next generation anti-virus (NGAV) exclusions (approved lists) and inclusions (banned lists). VMware Carbon Black Standard, VMware Carbon Black Cloud Advanced, and VMware Carbon Black Cloud Enterprise use Endpoint detection and response (EDR). EDR is also affected by Reputation and Permission rules. This article walks administrators through setting these values along with any caveats that may be relevant.

Affected Products:

VMware Carbon Black Cloud Prevention
VMware Carbon Black Cloud Standard
VMware Carbon Black Cloud Advanced
VMware Carbon Black Cloud Enterprise

Affected Operating Systems:

Windows
Mac
Linux

 

VMware Carbon Black Onboarding Part 3: Policies and Groups

Duration: 03:37
Closed captions: Available in multiple languages

VMware Carbon Black Cloud uses a combination of Policies and Reputation to determine what operations take place.

Click the appropriate topic for more information.

VMware Carbon Black Cloud Prevention policies differ from the policies of VMware Carbon Black Cloud Standard, Advanced, and Enterprise. Click the appropriate product for more information.

VMware Carbon Black Cloud Prevention provides a streamlined approach to Permissions Rules as well as Blocking and Isolation Rules because it does not use EDR.

Note: Additional options are included within VMware Carbon Black Cloud Standard, VMware Carbon Black Cloud Advanced, and VMware Carbon Black Cloud Enterprise. For information about the additional options that affect EDR, reference the Standard, Advanced, and Enterprise section of this article.

Click the appropriate topic for more information.

Permissions rules determine what operations applications at specified paths can perform.

Permissions rules are path-based and take precedence over both Blocking and Isolation rules as well as Reputation.

To create a Permissions rule:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

Sign in

  1. In the left menu pane, click Enforce.

Enforce

  1. Click Policies.

Policies

  1. Select the policy set you want to modify.

Selecting a policy set

Note: The example images use Standard as the policy set chosen to modify.
  1. In the right menu pane, click Prevention.

Prevention

  1. Click to expand Permissions.

Permissions

  1. Click to expand Add application path.

Add application path

  1. Populate the intended path to set a bypass on.

Setting a bypass

Note:
  • The example image uses the following paths:
    • *:\program files\dell\dell data protection\**
    • *:\programdata\dell\dell data protection\**
  • In this example, the actions that are applied affect all files on all drives containing the paths \program files\dell\dell data protection\ and \programdata\dell\dell data protection\.
  • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
  • Environmental variables such as %WINDIR% are supported.
  • A single asterisk (*) matches all characters within the same directory.
  • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
  • Examples:
    • Windows: **\powershell.exe
    • Mac: /Users/*/Downloads/**
  1. Select the Action to be enforced.

Selecting an action

Note:
  • In the example image, operation attempts are given different actions by selecting either Allow or Bypass.
  • When the operation attempt of Performs any operation is selected, this overrides any other operation attempt and disables the selection of any other option.
  • Action definitions:
    • Allow - Allows the behavior in the specified path with information about the action being logged by VMware Carbon Black Cloud.
    • Bypass - All behavior is allowed in the specified path. No information is collected.
  1. Click Save in the upper right, or at the bottom of the page.

Save

Blocking and Isolation rules are path-based and take precedence over Reputation. Blocking and Isolation rules allow us to set a "Deny operation" or "Terminate process" action when a specific operation is attempted.

To create a Blocking and Isolation rule:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

Sign In

  1. In the left menu pane, click Enforce.

Enforce

  1. Click Policies.

Policies

  1. Select the policy set you want to modify.

Selecting a policy set

Note: The example images use Standard as the policy set chosen to modify.
  1. In the right menu pane, click Prevention.

Prevention

  1. Click to expand Blocking and Isolation.

Blocking and Isolation

  1. Populate the application path to set a Blocking and Isolation rule on.

Populating an application path

Note:
  • The example image uses excel.exe.
  • The actions set apply to the application with the name excel.exe ran from any directory.
  • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
  • Environmental variables such as %WINDIR% are supported.
  • A single asterisk (*) matches all characters within the same directory.
  • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
  • Examples:
    • Windows: **\powershell.exe
    • Mac: /Users/*/Downloads/**
  1. Click Save in the upper right.

Save

Note: Terminate process ends the process once the specified operation attempts to run.

VMware Carbon Black Cloud Standard, VMware Carbon Black Cloud Advanced, and VMware Carbon Black Cloud Enterprise provide options with Permissions Rules, as well as Blocking and Isolation Rules, due to inclusion of EDR.

Click the appropriate topic for more information.

Permissions rules determine what operations applications at specified paths can perform.

Permissions rules are path-based and take precedence over both Blocking and Isolation rules as well as Reputation.

To create a Permissions rule:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

Sign in

  1. In the left menu pane, click Enforce.

Enforce

  1. Click Policies.

Policies

  1. Select the policy set you want to modify.

Selecting a policy set

Note: The example images use Standard as the policy set chosen to modify.
  1. In the right menu pane, click Prevention.

Prevention

  1. Click to expand Permissions.

Permissions

  1. Click to expand Add application path.

Add application path

  1. Populate the intended path to set a bypass on.

Populating a path

Note:
  • The example image uses the following paths:
    • *:\program files\dell\dell data protection\**
    • *:\programdata\dell\dell data protection\**
  • In this example, the actions that are applied affect all files on all drives containing the paths \program files\dell\dell data protection\ and \programdata\dell\dell data protection\.
  • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
  • Environmental variables such as %WINDIR% are supported.
  • A single asterisk (*) matches all characters within the same directory.
  • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
  • Examples:
    • Windows: **\powershell.exe
    • Mac: /Users/*/Downloads/**
  1. Select the Action to be enforced.

Selecting an action

Note:
  • In the example image, operation attempts are given different actions by selecting either Allow, Allow & Log, or Bypass.
  • When the operation attempt of Performs any operation is selected, this overrides any other operation attempt and disables the selection of any other option.
  • Every action except Performs any operation can be applied to multiple operation attempts.
  • Action definitions:
    • Allow - Allows the behavior in the specified path; none of the specified behavior at the path is logged. No data is sent to the VMware Carbon Black Cloud.
    • Allow & Log - Allows the behavior in the specified path; all activity is logged. All data is reported to the VMware Carbon Black Cloud.
    • Bypass - All behavior is allowed in the specified path; nothing is logged. No data is sent to the VMware Carbon Black Cloud.
  1. Click Confirm at the bottom of the Permissions to set the policy change.

Confirm

  1. Click Save in the upper right.

Save

Blocking and Isolation rules are path-based and take precedence over Reputation. Blocking and Isolation rules allow us to set a "Deny operation" or "Terminate process" action when a specific operation is attempted.

To create a Blocking and Isolation rule:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

Sign in

  1. In the left menu pane, click Enforce.

Enforce

  1. Click Policies.

Policies

  1. Select the policy set you want to modify.

Selecting a policy set

Note: The example images use Standard as the policy set chosen to modify.
  1. In the right menu pane, click Prevention.

Prevention

  1. Click to expand Blocking and Isolation.

Blocking and Isolation

  1. Click to expand Add application path.

Add application path

  1. Populate the application path to set a Blocking and Isolation rule on.

Populating an application path

Note:
  • The example image uses excel.exe.
  • The actions set apply to the application with the name excel.exe ran from any directory.
  • VMware Carbon Black’s Permissions list leverages a glob-based formatting structure.
  • Environmental variables such as %WINDIR% are supported.
  • A single asterisk (*) matches all characters within the same directory.
  • Double asterisks (**) match all characters within the same directory, multiple directories, and all directories above or below the specified location or file.
  • Examples:
    • Windows: **\powershell.exe
    • Mac: /Users/*/Downloads/**
  1. Select the Action to be taken when the operation attempt is met and then click Confirm.

Selecting an action

  1. Click Save in the upper right.

Save

Note:
  • Deny operation prevents the listed application from performing the specified operation that it attempted to perform.
  • Terminate process ends the process once the specified operation attempts to run.

VMware Carbon Black assigns a Reputation to every file that is run on a device with the sensor installed. Pre-existing files begin with an effective reputation of LOCAL_WHITE until run or until the background scan has processed them and gives a more definitive reputation.

Either Add an Application to the Reputation List or reference Reputation Descriptions. Click the appropriate topic for more information.

An application may be added to the reputation list through either the Reputations Page or the Alerts Page. Click the appropriate option for more information.

To add an application to the reputations list through the reputations page:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

Sign in

  1. In the left menu pane, click Enforce.

Enforce

  1. Click Reputation.

Reputation

An administrator may add an application to the reputation list using the SHA256 Hash, IT Tool, or Signing Certificate. Click the appropriate option for more information.

Note: Files must be known to the VMware Carbon Black Cloud by being seen within the environment, and the SHA256 hash being processed by the VMware Carbon Black Cloud. New applications may take some time after their first detection before they are known to the VMware Carbon Black Cloud. This may result in the Approved List or Banned List not being immediately assigned to an affected file.

To manually add a SHA256 hash:

  1. Click Add.

Add

  1. From Add Reputation:
    1. Select Hash for the Type.
    2. Select either Approved List or Banned List for the List.
    3. Populate the SHA-256 hash.
    4. Populate a Name for the entry.
    5. Optionally, populate Comments.
    6. Click Save.

Add Reputation menu

Note:
  • Approved List automatically sets any affected and known file to have a reputation of Company Approved.
  • Banned List automatically sets any affected and known file to have a reputation of Company Banned.

To manually add an IT tool:

  1. Click Add.

Add

  1. From Add Reputation:
    1. Select IT Tools for the Type.
    2. Populate the relative Path of trusted IT tool.
    3. Optionally, select Include all child processes.
    4. Optionally, populate Comments.
    5. Click Save.

Add Reputation menu

Note:
  • IT Tools may only be added to the Approved List. Approved List automatically sets any affected and known file to have a reputation of Local White.
  • The option Include all child processes notes that, if selected, all files that are dropped by child processes of the newly defined trusted IT tool also receive the initial trust.
  • Relative paths for IT tools indicate that the path defined can be fulfilled by the defined pathing.

Example:

For the following examples, the Path of trusted IT tool is set to:

  • \sharefolder\folder2\application.exe

If an administrator attempts to run the file in these locations, the exclusion succeeds:

  • \\server\tools\sharefolder\folder2\application.exe
  • D:\ITTools\sharefolder\folder2\application.exe

If an administrator attempts to run the file in these locations, the exclusion fails:

  • E:\folder2\application.exe
  • H:\sharefolder\application.exe

In the failed examples, the path cannot be fulfilled entirely.

To manually add a signing certificate:

  1. Click Add.

Add

  1. From Add Reputation:
    1. Select Certs for the Type.
    2. Populate the Signed by field.
    3. Optionally, populate the Certificate Authority.
    4. Optionally, populate the Comments.
    5. Click Save.

Add Reputation menu

Note:

To add an application to the reputations list through the alerts page:

  1. In a web browser, go to [REGION].conferdeploy.net.
Note: [REGION] = Region of tenant
  1. Sign In to the VMware Carbon Black Cloud.

Sign in

  1. Click Alerts.

Alerts

  1. Select the chevron next to the alert for which you want to approve the application.

Selecting the alert

  1. Click Show all under the Remediation subsection.

Show all

  1. Click to Add the file to either the banned list or to the approved list depending on whether the hash is untrusted or trusted.

Adding the file to the banned list or approved list

Note: The Signing Certificate may be added so that other applications that share this certificate are added automatically to the local approved list.
Priority Reputation Reputation Search Value Description
1 Ignore IGNORE Self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run.
  • Highest Priority
  • Files have full permissions to run by Carbon Black, typically Carbon Black products
2 Company Approved List COMPANY_WHITE_LIST Hashes manually added into Company Approved List by going to Enforce > Reputations
3 Company Banned List COMPANY_BLACK_LIST Hashes manually added into Company Banned List by going to Enforce > Reputations
4 Trusted Approved List TRUSTED_WHITE_LIST Known good by Carbon Black from either the cloud, local scanner, or both
5 Known Malware KNOWN_MALWARE Known bad by Carbon Black from either the cloud, local scanner, or both
6 Suspect/Heuristic Malware SUSPECT_MALWARE HEURISTIC Suspect malware that is detected by Carbon Black, but not necessarily malicious
7 Adware/PUP Malware ADWARE PUP Adware and Potentially Unwanted Programs that are detected by Carbon Black
8 Local White LOCAL_WHITE File has met any of the following conditions:
  • Files pre-existing before the sensor install
  • Files added to the Approved List in IT Tools by going to Enforce > Reputations
  • Files added to the Approved List in Certs by going to Enforce > Reputations
9 Common Approved List COMMON_WHITE_LIST File has met any of the following conditions:
  • Hash not on any known good or known bad lists AND file is signed
  • Hash previously analyzed AND not on any known good or known bad lists
10 Not Listed/Adaptive Approved List NOT_LISTEDADAPTIVE_WHITE_LIST The Not Listed reputation indicates that after the sensor checks the application hash with Local Scanner or Cloud, no record can be found about it - it is not listed in the reputation database.
  • Cloud: Hash not previously seen
  • Local scanner: Not known bad, configured in policy
11 Unknown RESOLVING The Unknown reputation indicates that there is no response from any of the reputation sources the sensor uses.
  • Lowest Priority
  • Sensor observes file drop but does not yet have reputation from the cloud or local scanner

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Additional Information

   

Videos

 

Article Properties

Affected Product

VMware Carbon Black

Last Published Date

04 Jan 2023

Version

32

Article Type

How To

Back to Top