Troubleshooting Trusted Directory Approvals
search cancel

Troubleshooting Trusted Directory Approvals

book

Article ID: 369235

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to troubleshoot issues with Trusted Directory Approvals.

Environment

  • App Control Agent: All Supported Versions
  • App Control Server: All Supported Versions

Resolution

Reminder: Trusted Directory approvals are not sent to Agents immediately upon activation of the directory or addition of files. There are three conditions that cause a Trusted Directory Approval to be sent to endpoints:

  • Blocked Files: If the Server has a record of a file being blocked on any endpoint, and that file is later approved via Trusted Directory, the Server sends the Approvals to the Agents immediately.
  • Execution Attempts: If a user attempts to execute an instance of a file approved by Trusted Directory on a computer connected to the Server, the Server allows the Agent to run the file immediately and sends the Approval to other Agents.
  • Installers: If a file approved by Trusted Directory is identified as an Installer, the Server begins sending the Approval to the Agents immediately.

 

  1. Verify the details of the Trusted Directory in: Rules > Software Rules > Directories:
    • Computer Name should not be grey for the relevant Trusted Directory, if it is the Agent is currently Disconnected.
    • Path should still exist on the relevant endpoint.
      • Do not create multiple Trusted Directories for the same path.
      • Paths must have correct directory delimiters and characters for the relevant Operating System.
      • Case sensitivity is determined by the Operating System.
      • Paths should not include Removable Drives, as the drive letter may change and Removable Drives are not re-scanned when removed/re-attached.
    • Status should not be red (Inaccessible), if it is the Agent or folder might be deleted.
    • If Agent is connected, path exists, and is accessible: continue.
  2. Click View Details on the relevant Trusted Directory.
    • Status should be Enabled.
    • Policies should match expected Policies.
    • Progress is an indicator of Crawl Jobs.
      • Each folder is a Crawl Job, and each archive is a Crawl Job.
      • One folder with 3 archives is 4 Crawl Jobs.
      • The Progress field is cumulative and the numbers do not reset.
      • The Progress numbers might actually increase, even if files have not been added.
  3. Attempt to execute the file on the endpoint hosting the Trusted Directory.
    • If a user attempts to execute an instance of a file Approved via Trusted Directory, the Server allows the Agent to run the file immediately and sends the Approval to the other Agents.

If the issue persists, open a case with Support and provide:

  • Screenshot from the Console > Rules > Software Rules > Directories > relevant Trusted Directory
  • Agent Historical Logs
  • Relevant file information:
    • Full file path & name
    • File size
    • Date added to Trusted Directory

Additional Information

  • Trusted Directories on Linux and macOS:
    • Agents do not crawl subfolders of Trusted Directories.
    • Agents do not crawl contents of archive files (zip, tar, etc)
    • files added to a Trusted Directory for a macOS or Linux Agent must be in the specified Trusted Directory, and expanded manually.
  • Trusted Directory Approvals are not removed when:
    • Files are deleted from the Trusted Directory.
    • The Trusted Directory is disabled or deleted in the Console.
Powered by Wolken Software