Endpoint Standard: Adding approved reputation using IT Tools isnt working properly
Article ID: 290138
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Approving an application in IT Tools (Ex: C:\path\appname.exe)
- Continue to observe Alerts with unknown_app TTP attached for the Approved application
Environment
- Endpoint Standard Console: All Versions
- Endpoint Standard Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple MacOS: All Supported Versions
Cause
- Adding an approved application using IT Tools ensures that every file created by the Approved IT Tool is assigned a LOCAL_WHITE reputation.
- Adding an Approved application to an IT Tool does not Approve the tool itself.
- Example: C:\path\appname.exe will not be whitelisted, but if C:\path\childappname.exe was generated by appname.exe then childappname.exe will be assigned a LOCAL_WHITE reputation
Resolution
An application that is Approved using the IT Tool (In the above example it would be appname.exe) using Certificate Approve or Approving the application by hash.
Feedback
Yes
No
Powered by
