App Control: File(s) Continue to be Blocked After Adding Approval Rule
search cancel

App Control: File(s) Continue to be Blocked After Adding Approval Rule

book

Article ID: 286087

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • File still being blocked after adding a custom rule
  • Custom rule not working

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Cause

  • Incorrect rule ranking
  • Approvals out of date at time of block
  • Misconfiguration

Resolution

  1. Confirm which rule is causing the block
    • https://community.carbonblack.com/t5/Knowledge-Base/App-Control-How-to-Tell-Which-Rule-Is-Causing-a-Block/ta-p/66272
  2. Confirm the approval rule has a ranking (Rank Column within Software Rules > Custom) and Priority/Precedence "above" the block rule
    • https://community.carbonblack.com/t5/Knowledge-Base/App-Control-Rule-Processing-Order-of-Precedence/ta-p/52405
  3. Confirm that the agent had the rule(s) at the time of event
    • Execution Control Rules:
      1. Navigate to Reports > Events and find the Execution Block event.
      2. Add the "Config List Version" Column
      3. Note the Configlist version of the event
      4. Navigate to Rules > Software Rules > Custom Rules
      5. Add the "CL Version" column
      6. Note the CL version of when the rule was added
      7. Compare the CL version from step 3 and step 6. If the CL version of the block event is not equal or higher than the cl version of the rule, the agent was not up to date at the time of block.
    • File Creation Control Rules:
      1. Navigate to Reports > Events and find the New Unapproved File event.
      2. Add the "Config List Version" Column
      3. Note the Configlist version of the event
      4. Navigate to Rules > Software Rules > Custom Rules
      5. Add the "CL Version" column
      6. Note the CL version of when the rule was added
      7. Compare the CL version from step 3 and step 6. If the CL version of the block event is not equal or higher than the cl version of the rule, the agent was not up to date at the time of file creation.
  4. Confirm the Path, Process, and User of the rule match up to the event
    • For Execution Control (Allow) rules, compare the path and process from the Execution Block event
    • For File Creation Control rules, compare the path and process from the New Unapproved File event
    • Dascli "TestPattern" can be used as described here
  5. For further assistance contact VMware Carbon Black support. Screenshots from this article and diagnostics files will be requested.