App Control: "High Enforcement Report Only" (HERO) Policy Still Blocking Files It Should Report On
book
Article ID: 287222
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Files not banned and that should be reported on with the "HERO" policy being blocked.
Moving same agent into a different "HERO" policy reports as expected on the files being blocked by the affected "HERO" policy.
Environment
App Control Server: All Supported Versions
Cause
Rules to allow report only of files not received by "HERO" policy.
Resolution
Create a new "HERO" policy with the desired settings, from scratch, and name it something slightly different than the affected policy.
Move one agent into the new "HERO" policy and see if the rules work as expected.
If the new policy works as expected, move all relevant agents to this new policy and delete the affected policy.
Additional Information
"HERO" policies should not be used because they frequently cause a large volume of Unapproved (Persisted) files, which then require manual intervention for approval.