Cb Defense: How to Use Certificate Whitelisting for PKG Installers
book
Article ID: 288932
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Whitelist PKG installer packages based on the installer certificate
Environment
Cb Defense Sensor: 3.2.x.x and Higher
Apple macOS: All Supported Versions
Resolution
There are two methods for whitelisting PKG files by certificate.
Whitelist PKG installer from the Reputation page
Navigate to Enforce > Reputation.
Click the Add button in the upper right.
Select Certs tab on the configuration modal.
In the "Signed by" field, enter the full common name of the installer certificate. This can be found either on the Investigate Page or with the pkgutil command. (See https://community.carbonblack.com/docs/DOC-17503)
Click Save.
The whitelisted cert will appear on the Enforce > Reputation page for future reference.
Whitelist PKG installer from the Investigate page
Navigate to the Investigate page.
Locate the PKG installer by searching for the Sha256 value of the PKG or the package name.
Click on the PKG file name.
Click on the ADD button listed under the Selected App information.
The whitelisted cert will appear on the Enforce > Reputation page for future reference.
Additional Information
The PKG cert whitelisting provides an initial level of trust to the installer package and any included code files (such as pre/post install scripts or installed executable code).
The included files will have a Local_White Reputation assigned even if the files themselves are not signed or would otherwise have a Not_Listed Reputation.
The PKG whitelist behavior is different than the binary certificate whitelist behavior; the PKG certificate whitelisting allows initial trust to propagate to the files within the installer.
Use cases include internal software updates that include unsigned files in the PKG, software auto-updaters with similar issues, and complex file operations during installation.