Endpoint Standard: Adding approved reputation using IT Tools isnt working properly
book
Article ID: 290138
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Approving an application in IT Tools (Ex: C:\path\appname.exe)
Continue to observe Alerts with unknown_app TTP attached for the Approved application
Environment
Endpoint Standard Console: All Versions
Endpoint Standard Sensor: All Versions
Microsoft Windows: All Supported Versions
Apple MacOS: All Supported Versions
Cause
Adding an approved application using IT Tools ensures that every file created by the Approved IT Tool is assigned a LOCAL_WHITE reputation.
Adding an Approved application to an IT Tool does not Approve the tool itself.
Example: C:\path\appname.exe will not be whitelisted, but if C:\path\childappname.exe was generated by appname.exe then childappname.exe will be assigned a LOCAL_WHITE reputation
Resolution
An application that is Approved using the IT Tool (In the above example it would be appname.exe) using Certificate Approve or Approving the application by hash.