Explain what the file state "Unapproved (Persisted)" is and its implications as well as the best practices for handling them.

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions

• Unapproved (Persisted) files are files that have appeared after Agent Initialization and when the machine was in Medium or High Enforcement.
• These are files that were written with no approval method in place to issue a Local Approval when the file was written.
• Execution Control Rules will allow files tagged as Unapproved (Persisted) to execute, but will not change the File State to Approved.

To Change the File State:

1. Issue a Local Approval of the file from the Console
   1. Open a browser to https://<SERVER>/login.php
   2. Click on Assets > Files > Files on Computers.
   3. Search for the file in question
   4. Apply Local Approval
2. Create a File Rule to Globally Approve the file from the Console
   1. Open a browser to https://<SERVER>/login.php
   2. Click on Rules > Software Rules > Files
   3. Add new File Rule > Globally approve the SHA256 hash of the file

To Prevent Unapproved (Persisted):

1. Custom Rules that use the Rule Type, "File Creation Control" will instruct the Agent to issue a Local Approval when the Agent tracks the file being written.
2. File Creation Control Rules are not retroactive, they must be in place before the file is written.

• Just because a file is Unapproved (Persisted) does not mean it will not execute. Execution Control > Allow Rules will allow the execution of these files.
• Unapproved (Persisted) files will not become Locally Approved when changing Enforcements from Low or Visibility to Medium or High.
• By default, Unapproved files will be issued a Local Approval upon transition (Rules > Policies > relevant Policy > Advanced > Locally approve unapproved files on transition).
• More details on Unapproved (Persisted) files can be found in the User Guide chapter, "File, Publisher, and Application Information".