Home
Carbon Black App Control User Guide
Memory Rules
Memory Rules let you protect a process from being accessed or altered by other processes or users.
Specifying the Notifier for Memory Rules
The App Control Agent provides notifiers that are displayed when a rule blocks an action or prompts the user for a decision to allow or block an action.

Carbon Black App Control User Guide
- Preface
  This is your guide to day-to-day administration and security monitoring tasks: monitoring executable files on your network using App Control; configuring the App Control Server; managing computers running the App Control Agent; and managing App Control Console users.
- App Control Overview
- Using the Console
  This section covers the basics of using the Carbon Black App Control Console: how to log in and out, how to navigate in the user interface from the Home page and menu system, and how to view the information Carbon Black App Control makes available to you through tables, details pages, and dashboards.
- Managing Console Login Accounts
  This section describes how to create and manage login accounts for the Carbon Black App Control Console. It also describes how to define user roles that grant access to specified features, and in some cases limit this access by policy.
- Managing Computers
  This section describes the steps necessary to install Carbon Black App Control agents on computers. It also describes how to upgrade or uninstall agents, view the details agents provide to the Carbon Black App Control Console and manage operating system updates on agent-managed systems.
- Creating and Configuring Policies
  This section explains how to create policies and change their settings, including Enforcement Levels.
- Managing Virtual Machines
  This section explains how Carbon Black App Control efficiently manages virtual machines, called clones in the console, and the template computers on which they are based.
- File, Publisher, and Application Information
  This section describes the location and contents of file information in Carbon Black App Control. It also includes:
- Approving and Banning Software
  This section describes how to approve or ban software using Carbon Black App Control. It includes information about both global and local file approval.
- Deleting Files
  This section describes how to use the Carbon Black App Control Console to delete files on Windows endpoints.
- Reputation Approval Rules
  This section describes reputation approval rules, which can be used to automatically approve files based on the file and publisher trust ratings that Carbon Black File Reputation provides.
- Managing File-Signing Certificates
  This section describes advanced features for using file-signing certificates in Carbon Black App Control file monitoring and enforcement activities.
- Managing Devices
  This section describes features for tracking and control of storage devices detected on computers running the Carbon Black App Control Agent.
- Custom Software Rules
  Custom rules define actions you want the agent to take in response to file, directory, or process activity that matches conditions you specify. They may be used to optimize performance, protect file integrity, create a trusted file path for software distribution, or meet other special needs
- Memory Rules
  Memory Rules let you protect a process from being accessed or altered by other processes or users.
  - Rule Scope
    You can create memory rules that apply to all Windows computers, regardless of which user and what process attempts to access the process you specify. You can also create a more focused scope for a rule by specifying one or more of the following criteria.
  - Specifying the Notifier for Memory Rules
    The App Control Agent provides notifiers that are displayed when a rule blocks an action or prompts the user for a decision to allow or block an action.
  - Create Memory Rules
    You create a memory rule within the Memory tab by providing general information, setting up definitions for the rule, and applying it to all or specific policies.
  - Memory Rule Fields
    The following table shows the fields available on the Add/Edit Memory Rule page.
  - Specifying the Rule Action
    The actions for a memory rule define what you want Carbon Black App Control to do if there is a memory access attempt matching the rule.
  - Specifying the Rule Permissions
    Permissions define the type of access you want to affect with this rule, such as read, write, or execution. Some options allow you to control multiple types of access.
  - Specifying Target and Source Processes
    You can specify two processes in a memory rule. Use the Target Process for processes you want the rule to restrict, monitor, or allow access to. Use the Source Process for processes requesting access to the Target Process.
  - Specifying Users or Groups
    You can create a rule that applies only when specific users or users in specific groups attempt an action.
  - Change the Rank of a Memory Rule
    Memory rules have a Rank number and are evaluated from lowest number to highest number, beginning with the rule ranked 1. By default, rules appear on the Memory Rules page in their rank order, but you can sort the table by other columns.
  - Disable or Delete a Memory Rule
    If you do not want a memory rule to be active anymore, you can either disable it, which leaves it in the rules table, or delete it from the table.
  - Viewing Rule Status on Computers
    Depending upon the number of agents managed by your Carbon Black App Control Server and whether any are disconnected, not all agents receive new or updated rules in a short amount of time.
- Registry Rules
  This chapter describes Registry rules, which control what happens when there is an attempt to make changes in the Windows Registry at locations that match paths you specify. If you choose, you can limit enforcement of the rules to specified users and/or processes.
- Script Rules
  This chapter describes Script rules, which identify files to be tracked and managed as scripts by Carbon Black App Control. The Carbon Black App Control Server includes built-in script rules, and you can create custom rules to identify other scripts.
- YARA Rules
  Carbon Black App Control provides content-based inspection by using YARA rules, which enables more granular control of the security policy in your environment. YARA rules are descriptions of malware samples that can help you detect and classify malware in files. In a rule, the criteria for the rule is defined and tags are specified. When the rule is enabled, tags are assigned to files that meet the criteria for the rule.
- Expert Rules
  Expert rules are Custom, Memory, and Registry rules created with a special interface that provides many more options than the standard interface for these rules. They are intended for expert users working with Carbon Black Support or Technical Services.
- Rapid Configs
  This chapter describes Rapid Configs, which are sets of rules that can be used to accomplish tasks such as application optimization, operating system and application hardening, and approval of files delivered by software distribution systems.
- Event Rules
  There are Event rules, which allow you to specify an action to be performed when an event matches filters you define.
- Endpoint Notifiers and Approval Requests
  This chapter describes the Carbon Black App Control features that involve interactions with endpoint users.
- Events, Alerts and Meters
  This section explains how to use Carbon Black App Control event reports and alerts to monitor file activity and other key operations on your network. It also describes tools for detecting propagation of files on your network and for keeping track of the number of times a specified file executes.
- Monitoring Change: Baseline Drift Reports
  This section describes how to use Baseline Drift Reports, which allow you to track changes in the inventory of files on systems running the Carbon Black App Control Agent.
- Advanced Threat Detection
  This section describes how you enable and use Carbon Black App Control’s Advanced Threat Indicators, and how you can monitor threats through events, file details, and alerts.
- Using and Customizing Dashboards
  Carbon Black App Control Dashboards are configurable pages containing compact windows called portlets, each of which provides access to Carbon Black App Control-related information or controls.
- Locating Files
  This section describes how to use the Find Files page to locate or verify the existence of specific executable files on computers running the Carbon Black App Control Agent. Find Files locates instances of files, not their listings in the File Catalog.
- System Configuration
  This section describes settings that enable you to configure and maintain your Carbon Black App Control Server installation. Access to the System Configuration page is available only to login accounts in the Administrators group or in customized groups with View System Configuration and Manage System Configuration check boxes selected.
- Unified Management of Multiple Servers
  If you have multiple Carbon Black App Control servers, you can centralize the management of those servers. Unified Management allows you to specify that one server can control many common management functions for any connected Carbon Black App Control servers.
- Monitoring System Health
  This section introduces the System Health page, which provides Carbon Black App Control administrators with the ability to monitor the health and performance of the Carbon Black App Control Server.
- Live Inventory SDK: Database Views
  In addition to the access provided to the Live Inventory of files and computers through the console, Carbon Black App Control provides public views into the database. You can create your own reporting and data analysis solutions through the use of these public views.
- Carbon Black App Control API
  The Carbon Black App Control API is intended for programmers who want to write code to interact with Carbon Black App Control, either using custom scripts or from other applications. It is a RESTful API that can be consumed over HTTPS protocol using any language that can create get URI requests and post/put JSON requests as well as interpret JSON responses.
- Carbon Black App Control Connector
  This section provides instructions for configuring and using the Connector, which integrates the Carbon Black App Control Server with one or more network security devices or services.
- DASCLI
  The DasCLI.exe program, referred to as DASCLI, is an executable which provides Command Line Interface (CLI) access to the Carbon Black App Control Windows Agent. Messages are transmitted between DASCLI and the Agent.
- Diagnostic Files
  The Carbon Black App Control Console includes a page that displays certain diagnostic files for the Carbon Black App Control Server and its agents. These files can be useful when you are investigating issues in your Carbon Black App Control environment with the assistance of Carbon Black Support.
- Uploading Files from Agents
  This topic describes uploading files from agents.
- Exporting Data for External Analysis
  This section provides instructions for configuring and using Carbon Black App Control External Analytics, which enables the Carbon Black App Control Server to export data it collects from endpoints to external analysis tools.

Specifying the Notifier for Memory Rules

The App Control Agent provides notifiers that are displayed when a rule blocks an action or prompts the user for a decision to allow or block an action.

For each memory rule, you can select from two sources for the notifier:

Use Policy Specific Notifier – Each policy includes an advanced setting, Enforce memory rules, which is always on. This policy setting has a Notifier field where you can specify the notifier that appears on agent computers when memory rules block an action.
If you select the Use Policy Specific Notifier for a rule, it is possible that the policy specifies <none> as the Notifier for registry rules. In this case, a notifier does not show, even for a Prompt rule. Unless you are certain that you never want to prompt the user for a response to a rule, selecting <none> for the custom rule notifier in a policy is not recommended. See Advanced Settings for more information.
Custom Notifier – Instead of the policy-specific notifier, you can choose or create a custom notifier for a memory rule. The choices appear on a menu on the Add/Edit Memory Rule page. Custom Notifiers for Prompt rules must have a notifier. Custom Notifiers for Block rules allow you to choose <none> so that no notifier appears.
When you choose Block as the rule action, you can choose <none> on the Custom Notifier menu since it is possible you want the rule to block actions without notification. A Prompt rule requires a user choice, so when you choose Prompt as the rule action, the Custom Notifier menu does not include <none>.

Note: If you are using Unified Management and create a memory rule that applies to more than one server, client servers use default notifiers, even if a custom notifier is specified on the management server.

For information on memory rule notifier settings, see Table: Memory Rule Fields.

For details on notifiers, see Endpoint Notifiers and Approval Requests.