App Control: "High Enforcement Report Only" (HERO) Policy Still Blocking Files It Should Report On
Article ID: 287222
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Files not banned and that should be reported on with the "HERO" policy being blocked.
- Moving same agent into a different "HERO" policy reports as expected on the files being blocked by the affected "HERO" policy.
Environment
- App Control Server: All Supported Versions
Cause
Rules to allow report only of files not received by "HERO" policy.
Resolution
- Create a new "HERO" policy with the desired settings, from scratch, and name it something slightly different than the affected policy.
- Move one agent into the new "HERO" policy and see if the rules work as expected.
- If the new policy works as expected, move all relevant agents to this new policy and delete the affected policy.
Additional Information
"HERO" policies should not be used because they frequently cause a large volume of Unapproved (Persisted) files, which then require manual intervention for approval.
Feedback
Yes
No
Powered by
