Unapproved (Persisted) Files handling
search cancel

Unapproved (Persisted) Files handling


Article ID: 286799


Updated On:


Carbon Black App Control (formerly Cb Protection)


Explain what the file state "Unapproved (Persisted)" is and its implications as well as the best practices for handling them.


  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions


  • Unapproved (Persisted) files are files that have appeared after Agent Initialization and when the machine was in Medium or High Enforcement.
  • These are files that were written with no approval method in place to issue a Local Approval when the file was written.
  • Execution Control Rules will allow files tagged as Unapproved (Persisted) to execute, but will not change the File State to Approved.


To Change the File State:

  1. Issue a Local Approval of the file from the Console
    1. Open a browser to https://<SERVER>/login.php
    2. Click on Assets > Files > Files on Computers.
    3. Search for the file in question
    4. Apply Local Approval
  2. Create a File Rule to Globally Approve the file from the Console
    1. Open a browser to https://<SERVER>/login.php
    2. Click on Rules > Software Rules > Files
    3. Add new File Rule > Globally approve the SHA256 hash of the file

To Prevent Unapproved (Persisted):

  1. Custom Rules that use the Rule Type, "File Creation Control" will instruct the Agent to issue a Local Approval when the Agent tracks the file being written.
  2. File Creation Control Rules are not retroactive, they must be in place before the file is written.

Additional Information

  • Just because a file is Unapproved (Persisted) does not mean it will not execute. Execution Control > Allow Rules will allow the execution of these files.
  • Unapproved (Persisted) files will not become Locally Approved when changing Enforcements from Low or Visibility to Medium or High.
  • By default, Unapproved files will be issued a Local Approval upon transition (Rules > Policies > relevant Policy > Advanced > Locally approve unapproved files on transition).
  • More details on Unapproved (Persisted) files can be found in the User Guide chapter, "File, Publisher, and Application Information".