Explain what the file state "Unapproved (Persisted)" is and its implications as well as the best practices for handling them.
Environment
App Control Console: All Supported Versions
App Control Agent: All Supported Versions
Cause
Unapproved (Persisted) files are files that have appeared after Agent Initialization and when the machine was in Medium or High Enforcement.
These are files that were written with no approval method in place to issue a Local Approval when the file was written.
Execution Control Rules will allow files tagged as Unapproved (Persisted) to execute, but will not change the File State to Approved.
Resolution
To Change the File State:
Issue a Local Approval of the file from the Console
Open a browser to https://<SERVER>/login.php
Click on Assets > Files > Files on Computers.
Search for the file in question
Apply Local Approval
Create a File Rule to Globally Approve the file from the Console
Open a browser to https://<SERVER>/login.php
Click on Rules > Software Rules > Files
Add new File Rule > Globally approve the SHA256 hash of the file
To Prevent Unapproved (Persisted):
Custom Rules that use the Rule Type, "File Creation Control" will instruct the Agent to issue a Local Approval when the Agent tracks the file being written.
File Creation Control Rules are not retroactive, they must be in place before the file is written.
Additional Information
Just because a file is Unapproved (Persisted) does not mean it will not execute. Execution Control > Allow Rules will allow the execution of these files.
Unapproved (Persisted) files will not become Locally Approved when changing Enforcements from Low or Visibility to Medium or High.
By default, Unapproved files will be issued a Local Approval upon transition (Rules > Policies > relevant Policy > Advanced > Locally approve unapproved files on transition).
More details on Unapproved (Persisted) files can be found in the User Guide chapter, "File, Publisher, and Application Information".