App Control: File With 10/10 Trust Rating Blocked
Article ID: 287300
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Files with trust rating of 10/10 are blocked by App Control agent
- Reputation approvals for files enabled
- File is being seen in the environment for the first time
Environment
- App Control Server: 8.5.4 and Higher
- App Control Agent: 8.5.0 and Higher
- Microsoft Windows: All Supported Versions
Cause
Files are being approved by reputation.
Resolution
Feature is working as designed.
Additional Information
The reputation approval is applied server side first, then is sent down to the agents in the three specific scenarios: being if it was blocked before, or if the agent requests the information, or if its marked as a trusted installer. That means, a block can be received on the first attempt to run a file that was approved by reputation, if the lookup agent side cannot complete in time.
At that point, the server will send the approval to all the agents, through a normal config list update. This makes the file available to run, for future attempts (once the agent has updated its rules). No manual approval of the file, or console interaction should be required for this process. Once the first block takes place, the server will start sending that rule.
At that point, the server will send the approval to all the agents, through a normal config list update. This makes the file available to run, for future attempts (once the agent has updated its rules). No manual approval of the file, or console interaction should be required for this process. Once the first block takes place, the server will start sending that rule.
Feedback
Yes
No
Powered by
