Skip to content Skip to site navigation

How do I write a custom rule for Cb Protection file activity?

Custom rules should be reserved for cases when you cannot approve a file by hash with a normal file rule, as with dynamically generated content. It’s preferable to use file rules and signature rules, because custom rules incur a larger performance penalty.

  1. Identify the nature of the file activity.
  2. Select Software Rules in the Rules menu, select the Custom tab, and select Add Custom Rule.
  3. Use this format to name the rule: SU-<group name>-<application name>-<short desc.>.
    For example:
    • SU-ISO-.NET-Software-Installation
    • SU-ISO-.NET-Backup-Activity
    • SU-ISO-.NET-Dynamic-File-Creation
    • SU-ISO-BigFix-Software-Deployment
  4. Change the rule type to Advanced, set the operation to Write, and set the action to Approve.
  5. Fill in the appropriate fields in the rule based on the type of file activity you identified.
    Note: it is generally better to make your rules as specific as possible. Specify the path, process, and person executing the activity in your rules.​
    • Identify the full path of the process that wrote the files, and add that to the appropriate field.
      ​For example: C:\program files\BigFix\besclient.exe
    • Identify the related portion of the full path of the files being written and common file names of the files being written, and add that to the rule.
    • Please note that ? and * are wildcards. ? represents any single character and represents zero or more wildcard characters.
    • Identify the user account associated with the process writing the files and add the identified user account(s) to the rule.
    • A rule should only have service accounts and local system accounts specified.
  6. Select the policies that you want the rule to affect.
Last modified April 28, 2017