Steps to troubleshoot when trusted, or otherwise known-good, software is being blocked by the Agent.

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions

1. Confirm the Agent shows as Connected & Up to Date in the Console > Assets > Computers
   • The CL Version of the Agent will need to be at or above the CL Version for the latest version of the Custom Rule/Approval.
2. Navigate to Reports > Events.
   1. Use the Saved View: Blocked Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Click Show Columns > add Config List Version > Apply.
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
   2. Use the Saved View: New Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Click Show Columns > add Config List Version > Apply.
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
3. Verify a Custom Rule, Rapid Config, or Publisher Approval exists to handle either the Unapproved Files being written, or the File Path/Process responsible for execution.
   1. If the Rule Name references Ban:
      • For Banned File Hashes: The Ban may need to be lifted from Rules > Software Rules > Files.
      • For Banned Publishers: The Ban may need to be lifted from Rules > Software Rules > Publishers.
   2. If a Rapid Config or Custom Rule exists: 
      • If the Rule Type is File Creation Control: Compare the Custom Rule against the relevant Events for New Unapproved File.
      • If the Rule Type is Execution Control > Allow: Compare the Custom Rule against the relevant Events for Execution Block.
      • If the Custom Rule has a Specific User/Group set, try changing to Any User.
      • Verify the Custom Rule is ranked above any Custom Rules that would Block Execution.
      • Verify no extra characters, such as a trailing space in any of the fields.
      • Verify wildcard formatting or macro formatting.
      • Use dascli testpattern to validate the File & Process paths accordingly.
   3. Some Rapid Configs (ex: Microsoft SCCM, Windows App Store) issue Local Approvals when the file is written.
      • Verify the File Path for the New File events match the File Path in the Rapid Config.
      • Verify no Performance Optimization Rules exist for the same path.
      • If changes were made, the files will need to be re-written for the Rapid Config to take effect.
   4. If using Publisher Approvals:
      • If the Description shows "EligibleForApproval" the Publisher might not be Approved.
      • If the Description shows "InEligibleForApproval" additional investigation will be required.
   5. If using Trusted Directory
      • Work through the steps in Troubleshooting Trusted Directory Approvals
   6. If no Custom Rule, Rapid Config, or Publisher Approval exists, or is not available:
      • Consider creating a File Creation Control Rule based on the New Files (All) results.
      • If the files are seen on Execution, or a File Creation Control Rule cannot otherwise apply, consider creating an Execution Control (Allow) Rule.
4. If the Description shows Unanalyzed, follow the steps in Troubleshooting Unanalyzed Blocks.

If the issue persists, open a case with Support and provide:

• Copies of the exported CSV files (from Step 2 above)
  • Events from the Saved Views: Blocked Files (All) and New Files (All) with the Columns mentioned.
• Full page screenshots of any relevant Custom Rule or Publisher Approval.
• The latest Agent Historical Logs from a machine that most recently enforced a related Block Event.