App Control: After Approving Banned File, the State Persists
Article ID: 291219
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Blocks or would-have-blocked report events for files that have been approved
Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
Cause
In some circumstances when the file ban was done for one hash type, and the approval was done for another. In this situation, the ban will take precedence
For example, if the original ban was based on the md5 hash, but the approval was done for the sha256 hash, the file will still be considered banned
For example, if the original ban was based on the md5 hash, but the approval was done for the sha256 hash, the file will still be considered banned
Resolution
- Log into the App Control console
- Navigate to Assets > Files and search for the file name
- Look at the file details and make a note of the 3 hash values
- Go to Rules > Software Rules > Files, and then use the following Filter:
File or Hash contains <md5 hash value> or <sha1 hash value> or <sha256 hash value>
- If there are any rows returned with Type = Ban or Type = Ban (Report Only)
- Go to Edit File Rule, change the Rule Type to Approval, and Save
Feedback
Yes
No
Powered by
