Troubleshooting Unexpected Blocks
search cancel

Troubleshooting Unexpected Blocks

book

Article ID: 286112

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to troubleshoot when trusted, or otherwise known-good, software is being blocked by the Agent.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

  1. Confirm the Agent shows as Connected & Up to Date in the Console > Assets > Computers
  2. Navigate to Reports > Events.
  3. Use the Saved View: Blocked Files (All)
    • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
    • Set the Max Age accordingly from the dropdown.
    • Click Export to CSV.
  4. Use the Saved View: New Files (All)
    • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
    • Set the Max Age accordingly from the dropdown.
    • Click Export to CSV.
  5. Verify a Custom Rule, Rapid Config, or Publisher Approval exists to handle either the Unapproved Files being written, or the File Path/Process responsible for execution.
    1. If the Rule Name references Ban:
      • For Banned File Hashes: The Ban may need to be lifted from Rules > Software Rules > Files.
      • For Banned Publishers: The Ban may need to be lifted from Rules > Software Rules > Publishers.
    2. If a Rapid Config or Custom Rule exists: 
      • If the Rule Type is File Creation Control: Compare the Custom Rule against the relevant Events for New Unapproved File.
      • If the Rule Type is Execution Control > Allow: Compare the Custom Rule against the relevant Events for Execution Block.
      • If the Custom Rule has a Specific User/Group set, try changing to Any User.
      • Verify no extra characters, such as a trailing space in any of the fields.
      • Verify wildcard formatting or macro formatting.
      • Use dascli testpattern to validate the File & Process paths accordingly.
    3. Some Rapid Configs (ex: Microsoft SCCM, Windows App Store) issue Local Approvals when the file is written.
      • Verify the File Path for the New File events match the File Path in the Rapid Config.
      • Verify no Performance Optimization Rules exist for the same path.
      • If changes were made, the files will need to be re-written for the Rapid Config to take effect.
    4. If using Publisher Approvals:
    5. If no Custom Rule, Rapid Config, or Publisher Approval exists, or is not available:
  6. If the Description shows Unanalyzed, follow the steps in Troubleshooting Unanalyzed Blocks.

If none of these steps resolve the issue, open a case with Support and include:

  • Relevant CSV files from steps above.
  • Relevant screenshots of Rapid Config, Custom Rule, etc.
  • Steps attempted from above, and outcome.
  • Latest set of Agent Historical Logs after the block was encountered.