Cb Defense: Does the Update to Certificate Whitelisting for the 3.3 Mac Sensor Affect Currently Configured Certificate Whitelists?
search cancel

Cb Defense: Does the Update to Certificate Whitelisting for the 3.3 Mac Sensor Affect Currently Configured Certificate Whitelists?

book

Article ID: 288897

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Does the update to certificate Whitelisting for the 3.3 Mac Sensor affect currently configured certificate Whitelists?

Environment

  • Cb Defense PSC Console: November '18 Release and Later
  • Cb Defense Sensor: Version 3.3.x.x and Higher
  • Apple macOS: 10.10.x and Higher
  • Certificate Whitelisting is configured

Resolution

Yes.
  • Prior to 3.3, certificate Whitelisting was done at the Organization Name level
  • Certificate Whitelisting is now more granular so that the Common Name can be used
  • Any currently configured whitelists that apply to multiple entities under the same Organization Name should be reconfigured
  • This will increase security efficacy by allowing the sensor to differentiate between Organization certificates and personal or developer level certificates
 

    Additional Information

    • See https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-How-to-Identify-Whitelisted-Certs-That-Should-be/ta-p/64718  and https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-How-to-Update-Certificate-Whitelist-for-3-3-Sensor-on/ta-p/64717 for steps to whitelist certificates by Common Name for the 3.3 Mac Sensor
    • Updating these certificate Whitelists to include the issuer Common Name will increase security efficacy by allowing the sensor to differentiate between Organization certificates and personal or developer level certificates
    • It is recommended to maintain the current certificate Whitelists configured for Organization Name in conjunction with the newly configured certificate Whitelists for Common Name during the process of upgrading to 3.3.x.x and higher
    • Certificate Whitelisting has a global effect, so the previously configured Certificate Whitelists should remain in place until all sensors are upgraded to 3.3.x.x or higher
    • An additional waiting period of approximately 30 days after upgrade to Sensor version 3.3 is recommended prior to removing the Organization Name Whitelists
    • This waiting period will help prevent False Positives during the file Reputation transition resulting from the Certificate update
    • The Certificate Whitelists configured for Organization Name should be removed after upgrade to Sensor version 3.3 and the recommended waiting period has elapsed