Initial Steps

1. Confirm the Agent shows as Connected & Up to Date in the Console > Assets > Computers
   • The CL Version of the Agent will need to be at or above the CL Version for the latest version of the Custom Rule/Approval.
   • If the Agent is having issues receiving the latest Configlist updates, see Troubleshooting Approvals Out of Date 
2. Navigate to Reports > Events.
   1. Use the Saved View: Blocked Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Click Show Columns > add Config List Version > Apply.
      • Set the Max Age accordingly from the dropdown.
   2. Note the Config List Version and the Rule Name for the relevant Block Event.
      • Export to CSV to make referencing these Block Events easier, or to provide to Support.
   3. Change the Saved View: New Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Click Show Columns > add Config List Version > Apply.
      • Set the Max Age accordingly from the dropdown.
   4. Note the Config List Version and the Description for the relevant Discovery Events.
      • Export to CSV to make referencing the Discovery Events easier, or to provide to Support.

Special Considerations

• Azure AD (or Entra ID) Username/Group Name in Custom Rules
• Blocks for User in Specified Group at Logon
• Blocks on "c:\windows\assembly\nativeimages" Directory
• Blocks on Programs Hosted on a Network Share
• Blocks on psscriptpolicytest Powershell Scripts
• Windows Agent 8.9.0+: Per-User Custom Rules Don't Work When a Command is Invoked with "Run As"
• Windows Agent 8.9.0 - 8.9.6: Per-user Custom Rules Not Working As Expected

Rule Name From the Block Event References Ban

• If the Rule is Block Banned File Hashes
  1. Review the file details (HASH, Reputation Data, Publisher, etc) and determine if the Ban is warranted.
  2. If the Ban is no longer necessary, remove it from Rules > Software Rules > Files and note the associated CL Version.
• If the Rule is Block Files with Banned Publishers or Certificates
  1. Review the Publisher and/or Certificate(s).
  2. If the Ban is no longer necessary, remove it from Rules > Software Rules > Publishers and note the associated CL Version.

Publisher Approvals

• If the Event Description shows EligibleForApproval
  1. Review the Publisher's details and determine whether all applications signed by that Publisher are trusted in the environment.
  2. If desired issue a Publisher Approval from Rules > Software Rules > Publishers and note the associated CL Version.
• If the Event Description shows InEligibleForApproval
  • The Agent relies upon the Windows Cryptographic API for Certificate/Publisher Validation.
  • Separate steps are required to investigate Publisher Blocks.

Trusted Directory or Global Approval

1. Navigate to Rules > Software Rules > Files
   1. Use the Saved View: (none)
   2. Add Filter > File Hash > is: <relevant SHA256 from Block Event>
   3. Click Apply
2. Verify the File Rule has been created, and the relevant CL Version
3. Compare to the Block Event CL Version
4. If a File Hash is found, but the Agent is below the relevant CL Version continue with Troubleshooting Approvals Out of Date.
5. If no File Hash is found, or the Agent is at/above the relevant CL Version 
   
   • Trusted Directory follow the steps in Troubleshooting Trusted Directory Approvals
   • Global Approval follow the instructions at the bottom in Additional Information.

Custom Rules, Rapid Configs or Updaters

• Rapid Configs are customizable and instruct the Agent to issue a Local Approval when the file is written.
  1. If the File Path includes \windowsapps\ follow steps for Windows Store App Blocks With Rapid Config Enabled.
  2. Verify critical details including...
     • File Path from the New File Events CSV matches the File Path pattern in the Rapid Config.
     • Check Performance Optimization Rules for the same path, application or process writing the files.
     • These steps will prevent future issues by properly issuing Local Approvals when the files are written.
  3. Consider retroactively issuing Local Approvals for existing files.
• Updaters are either on/off and instruct the Agent to issue a Local Approval when the file is written.
  1. Navigate to Rules > Software Rules > Updaters
  2. Verify the relevant Updater is on and the associated CL Version
  3. If the updater was on already, and the Agent is at or above the relevant CL Version follow the instructions in Additional Information
• Custom Rules have different Rule Types depending on the situational needs
  • Regardless of the Rule Type, first verify
    • Process/File Pattern matches associated Events
    • Process/File Pattern does not have extra characters, has correct wildcards or macro formatting.
    • Use dascli/b9cli testpattern to validate Process and/or File patterns.
  • File Creation Control Rules
    1. Verify the Write Action is Approve and not Allow.
    2. Compare the File Path from the New File Events CSV matches the File Path pattern in the Custom Rule.
    3. Consider retroactively issuing Local Approvals for existing files.
  • Execution Control Rules
    • The Custom Rule's Rank for any Allow/Block combination of Custom Rules
    • If the Custom Rule has a Specific User/Group set, try changing to Any User.

Still Analyzing or Unanalyzed

• Follow the steps in Troubleshooting Unanalyzed Blocks.

No Approval Method Exists/All Others

1. Solve the current issue: Retroactively Issue Local Approvals for the existing files.
2. Prevent the issue next time:
   • Consider creating a File Creation Control (Approve) Rule based on the New Files (All) results to prevent the issue next time.
   • If the files are seen on Execution, or a File Creation Control Rule cannot otherwise apply, consider creating an Execution Control (Allow) Rule.
3. Review the Best Practices > Mastering Custom Rules guide.

• Be sure to review Approval Workflows and Mastering Custom Rules in the TechDocs > Best Practices
• If the issue persists after working through the relevant steps above, open a case with Support and provide:
  • Copies of the exported CSV files (from Step 2 above)
    • Events from the Saved Views: Blocked Files (All) and New Files (All) with the Columns mentioned.
  • Full page screenshots of any relevant Custom Rule or Publisher Approval.
  • The latest Agent Historical Logs from a machine that most recently enforced a related Block Event.