Troubleshooting Unexpected Approvals / Missed Blocks
Article ID: 377575
Updated On:
Products
Carbon Black App Control
Issue/Introduction
Steps to investigate when files are unexpectedly being created with a Local Approval or when the Agent did not block an Unapproved File.
Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Resolution
- Check if the relevant Files were issued a Local Approval:
- Navigate to Reports > Events
- Use the Saved View: New Files (Approved)
- Click Show Filters
- Add filter > Source > is: relevant Computer > Apply.
- Set the Max Age accordingly from the dropdown.
- Click Hide Filters.
- Click Show Columns
- Add the Column for Rule Name
- Click Apply
- Click Hide Columns
- If relevant results found:
- Click Export to CSV
- Review the Column Subtype accordingly for any , some examples include:
- File approved (local approval) means the Agent was in Local Approval.
- File approved (Custom Rule) means a Custom Rule issued the Approval, review the Column, Rule Name.
- Review the File Instance Details:
- Navigate to Assets > Files > Files on Computers:
- Click Show Filters > add relevant filters, examples:
- Computer > is: <relevant computer>
- SHA-256 > is: <relevant hash>
- File Name > is: <relevant name>
- Click View Details (pencil icon) to view the File Instance Details Page.
- Review Local State and Global State fields.
- Globally Approved files will have the same Local and Global State.
- Globally Unapproved files can have different Local and Global States.
- Local State Details: Primarily for use by Carbon Black Support but could help determine why a file was assigned its top-level Local State.
- Review History
- Indicates whether file was identified during or after Initialization
- Files detected after Initialization are tracked as Unapproved until Approved or Banned
- Includes any Global Approval or Ban changes for this file.
- Review Local State and Global State fields.
- If necessary, remove Local, Global and/or Reputation Approval using the right-hand menu.
- Click Show Filters > add relevant filters, examples:
- Navigate to Assets > Files > Files on Computers:
If the issue persists open a case with Support and provide:
- A copy of the CSV captured in Step 1
- If able to recreate the unexpected file approvals:
- Agent Logs for Rules Not Working
- Details on how to recreate
- If unable to recreate the unexpected file approvals:
- Agent Historical Logs
- Details on how it was discovered
Feedback
Yes
No
Powered by
