• Carbon Black Cloud Console: All Versions
  • Endpoint Standard (was CB Defense)
• Carbon Black Cloud macOS Sensor: 2.0.x.x and Higher
• Carbon Black Cloud Windows Sensor: 2.0.x.x and Higher
• Microsoft Windows: All Supported Versions
• Apple macOS: All Supported Versions

From the Investigate Page

1. Search for Events tied to desired application or hash
2. Select the desired Event to expand Event details
3. Click desired App tab (Parent App, Selected App, Target App)
4. Signed By field reflects Signer of file, CA reflects Certificate Authority
5. Click on Add button to right of Signed By to add the Cert (Signer+CA) to Approved List

From the Reputation Page

1. Locate Signer and Certificate Authority (CA) for desired file (can be done via Enriched Event data or directly on endpoint)
2. Log into Carbon Black Cloud Console
3. Go to Enforce > Reputation
4. Click on the +Add button
5. In the modal/pop-up, select Type: Certs
6. Enter Signer in "Signed By" field (required)

   Signed By: Google Inc

7. Enter CA in Certificate Authority field (not currently required)

   CA: VeriSign Class 3 Code Signing 2010 CA

8. Add details to Comment field as desired
9. Click Save to finish adding Cert to Approved List

• It is currently only possible to add a Signer/CA as an Approved List item, not a Banned List item
• This functionality is not currently available for Sensors on Linux distros
• To see the ability to add a Signer/CA to the Banned List, please upvote the following: https://community.carbonblack.com/t5/Idea-Central/Add-banning-by-certificate/idi-p/30165