Cb Defense: How to Update Certificate Whitelist for 3.3 Sensor on Mac
search cancel

Cb Defense: How to Update Certificate Whitelist for 3.3 Sensor on Mac

book

Article ID: 288918

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Update Cert Whitelist with Common Name of Certificate Issuer to increase specificity during certificate verification for the 3.3.x.x Sensor for Mac

Environment

  • Cb Defense PSC Console: November '18 Release and Later
  • Cb Defense Sensor: Version 3.3.x.x and Higher
  • Apple macOS: 10.10.x and Higher
  • Cert Whitelisting is configured based on Certificate Issuer Organization rather than Common Name

Resolution

  1. Determine the Common Name of the Certificate to be Whitelisted
    • View Certificate in KeychainAccess.app (the Common Name of the certificate issuer is explicitly stated when viewing certificates)
    • Or use a command such as "codesign" to determine the Common Name of the certificate issuer (this can be run on binaries as needed)
      codesign -dv --verbose=4 <file_path>
  2. In the PSC Console, navigate to Enforce > Reputation
  3. Click Add
  4. Select Type: Certs
  5. Enter the Common Name into the "Signed By" field
  6. Enter CA and Comments as necessary
  7. Click Save
  8. Maintain the Certificate Whitelists configured for Organization Name in conjunction with the newly configured Certificate Whitelists for Common Name during the process of upgrading to 3.3.x.x and higher
  9. Once all Sensors are upgraded to 3.3 or higher, an additional waiting period of approximately 30 days is recommended before removing the Certificate Whitelists based on Organization Name
  10. After Sensor upgrade and waiting period, the Certificate Whitelists configured for Organization Name should be removed

Additional Information

  • For the codesign command, replace¬†<file_path> with the path to the binary or other file as needed
  • An additional waiting period of approximately 30 days after upgrade to Sensor version 3.3 is recommended prior to removing the Organization Name Whitelists
  • This waiting period will help prevent False Positives during the file Reputation transition resulting from the Certificate update