top of page
Search

Carbon Black (P4:Enforce): A Practical Guide/An Practical Training

  • Aug 4
  • 4 min read
ree

When managing Carbon Black, the Enforce tab plays a pivotal role. It houses the tools for creating and managing policies, which dictate how sensors interact with assets, prevent threats, and allow or block specific behaviors.


Introduction to Policies

Policies in Carbon Black are collections of prevention rules and behavioral settings. These define how sensors interact with endpoints to:

ree

  • Allow or block specific behaviors.

  • Implement custom blocking rules.

  • Modify communication between sensors and the Carbon Black Cloud.


Interface Overview

When you click on the Policies section, you’ll find:

  • Left Panel: Lists all your created policies.

  • Main Panel: Contains tabs like General, Prevention, Local Scan, and Sensor for each selected policy.


-------------------------------------------------------------------------------------------------------------

Policy Tabs and Their Functions

1. General Tab

This section provides basic information about the policy:

  • Policy Name and Description.

  • Additional configurable settings.


2. Prevention Tab

This is the core of policy management. It allows users to configure:

ree

  • Permissions:

    Permissions in Carbon Black involve whitelisting paths or applications. Unlike other tools like SentinelOne, Carbon Black uses flexible path-based formats for exclusions:


    Example:

C:\windows\carbonblack\**
**\carbonblack\**

  • Core Prevention Settings:

    Use Carbon Black’s backend engines for threat detection and response. These settings allow you to configure actions like terminating processes or generating alerts.

    ree

  • Blocking and Isolation Rules

    Carbon Black offers robust capabilities, such as path-based blocklisting:

    ree

    Example: Block PowerShell and Python executables using:

**\powershell*.exe
**/python

  • USB Blocking

    Enable or configure USB restrictions as per your organizational requirements.

ree

3. Sensor Settings

Fine-tune how sensors operate, including options for auto-deleting known malware and enabling local scanners.

ree


-------------------------------------------------------------------------------------------------------------

Creating a New Policy

To create a policy:

  1. Click New Policy.

  2. Fill in details like:

    • Name and Description.

    • Copy Settings From: Use predefined templates provided by Carbon Black for common use cases. These serve as baselines that you can modify to suit specific needs.

    ree

Predefined Policies

Predefined policies are templates that:

ree

  • Establish a baseline level of enforcement.

  • Can be assigned to sensors.

  • Allow customization but cannot be deleted.


Each Predefined policy with description:
ree


Now after Writing description and Policy name next tab you have to configure - Core prevention and Permission (I am Leaving those as default because these are testing policies)

ree

In Below screenshot if see there are few process which are predefined by Carbonblack. Example in case of Carbonblack thinks its Adware it will terminated to process automatically.

(How cool is that!) For My perspective, Do not touch below configuration even you creating new policy for production environment(Leave those as default).
ree

If you want to add any other path or file name you can add by clicking add file path
ree

Last thing to configure in Policy is

USB Blocking:

If needed, you can add rules to block USB devices. This is optional and depends on your use case.


Once you’ve configured the required settings, your policy is ready to go!

-------------------------------------------------------------------------------------------------------------

Reputation Management

The Reputation tab is where you can manage files and applications based on their reputation.

ree

  • Blocking Hashes: You can block specific SHA-256 hashes if you know they’re malicious.

  • Adding Exclusions: Similarly, you can add hashes to an exclusion list to avoid false positives.

ree

This feature provides flexibility and precision for managing files based on their known behaviors.


-------------------------------------------------------------------------------------------------------------

Malware Removal

Managing detected malware is one of the core features of Carbon Black Cloud. Here’s how to handle it effectively:

ree
ree

  • Detected Malware: The Detected tab shows files classified as KNOWN_MALWARE, SUSPECT_MALWARE, or PUP (Potentially Unwanted Program). You can:

    • Search for specific files by hash or filename.

    • Take action to delete malware directly from the Investigate page.


  • Auto-Deleting Known Malware:You can configure policies to automatically delete known malware after a specified time.

    1. Go to Enforce > Policies.

    2. Select the desired policy and enable Auto-delete known malware hashes after.

    3. Choose the time frame and save.


Deleted malware moves from the Detected tab to the Deleted tab. Remember, once malware is deleted, it cannot be restored, so proceed carefully.

ree
ree

-------------------------------------------------------------------------------------------------------------

Cloud Analysis

The Cloud Analysis feature integrates with Symantec CYNIC to improve protection against unknown threats.

ree

Here’s how you enable it:

  1. Navigate to Enforce > Policies.

  2. Select a policy.

  3. Enable Submit unknown binaries for analysis under the Sensor tab.


This submits "NOT_LISTED" binaries (e.g., .exe, .dll) to Symantec CYNIC for automated analysis. It’s worth enabling this feature to bolster your defenses against new and evolving threats.


-------------------------------------------------------------------------------------------------------------


Recommendations

Carbon Black Cloud generates recommendations to improve the health of your environment.


ree

These suggestions are based on:

  • Blocked events in your organization.

  • Global insights from other organizations.

  • Accepted reputation rules.


You can review these recommendations and apply them to optimize your configurations.

-------------------------------------------------------------------------------------------------------------


Wrapping Up

That’s all you need to know about policy management in Carbon Black Cloud! From exclusions and blocking rules to handling malware and leveraging cloud analysis, you now have a solid foundation to manage policies effectively.


Keep experimenting with these settings, and don’t hesitate to tweak configurations based on your organization's needs.


I’ll leave you here for now, but stay tuned for my next guide—there’s always more to learn!

----------------------------------------------------------------------------------------------------------

Upcoming article: Carbon Black (P5:Inventory): A Practical Guide/An Practical Training

----------------------------------------------------------------------------------------------------------


 
 
 

Comments

bottom of page