Cb Defense: How to Update Certificate Whitelist for 3.3 Sensor on Mac

search cancel

book

calendar_today

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Update Cert Whitelist with Common Name of Certificate Issuer to increase specificity during certificate verification for the 3.3.x.x Sensor for Mac

Cb Defense PSC Console: November '18 Release and Later
Cb Defense Sensor: Version 3.3.x.x and Higher
Apple macOS: 10.10.x and Higher
Cert Whitelisting is configured based on Certificate Issuer Organization rather than Common Name

Determine the Common Name of the Certificate to be Whitelisted
- View Certificate in KeychainAccess.app (the Common Name of the certificate issuer is explicitly stated when viewing certificates)
- Or use a command such as "codesign" to determine the Common Name of the certificate issuer (this can be run on binaries as needed)
```
codesign -dv --verbose=4 <file_path>
```
In the PSC Console, navigate to Enforce > Reputation
Click Add
Select Type: Certs
Enter the Common Name into the "Signed By" field
Enter CA and Comments as necessary
Click Save
Maintain the Certificate Whitelists configured for Organization Name in conjunction with the newly configured Certificate Whitelists for Common Name during the process of upgrading to 3.3.x.x and higher
Once all Sensors are upgraded to 3.3 or higher, an additional waiting period of approximately 30 days is recommended before removing the Certificate Whitelists based on Organization Name
After Sensor upgrade and waiting period, the Certificate Whitelists configured for Organization Name should be removed

For the codesign command, replace <file_path> with the path to the binary or other file as needed
An additional waiting period of approximately 30 days after upgrade to Sensor version 3.3 is recommended prior to removing the Organization Name Whitelists
This waiting period will help prevent False Positives during the file Reputation transition resulting from the Certificate update

thumb_up Yes

thumb_down No