Cb Defense: How to Use Certificate Whitelisting for PKG Installers
search cancel

Cb Defense: How to Use Certificate Whitelisting for PKG Installers

book

Article ID: 288932

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Whitelist PKG installer packages based on the installer certificate

Environment

  • Cb Defense Sensor: 3.2.x.x and Higher
  • Apple macOS: All Supported Versions

Resolution

There are two methods for whitelisting PKG files by certificate.

Whitelist PKG installer from the Reputation page

  1. Navigate to Enforce > Reputation.
  2. Click the Add button in the upper right.
  3. Select Certs tab on the configuration modal.
  4. In the "Signed by" field, enter the full common name of the installer certificate. This can be found either on the Investigate Page or with the pkgutil command. (See https://community.carbonblack.com/docs/DOC-17503)
  5. Click Save.
  6. The whitelisted cert will appear on the Enforce > Reputation page for future reference.

Whitelist PKG installer from the Investigate page

  1. Navigate to the Investigate page.
  2. Locate the PKG installer by searching for the Sha256 value of the PKG or the package name.
  3. Click on the PKG file name.
  4. Click on the ADD button listed under the Selected App information.
  5. The whitelisted cert will appear on the Enforce > Reputation page for future reference.

Additional Information

  • The PKG cert whitelisting provides an initial level of trust to the installer package and any included code files (such as pre/post install scripts or installed executable code).
  • The included files will have a Local_White Reputation assigned even if the files themselves are not signed or would otherwise have a Not_Listed Reputation.
  • The PKG whitelist behavior is different than the binary certificate whitelist behavior; the PKG certificate whitelisting allows initial trust to propagate to the files within the installer.
  • Use cases include internal software updates that include unsigned files in the PKG, software auto-updaters with similar issues, and complex file operations during installation.