Locating Global Approvals in the Environment
search cancel

Locating Global Approvals in the Environment

book

Article ID: 288300

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Ways to find the total number of Global Approvals in the environment or what files are Globally Approved.

Environment

  • App Control: All Supported Versions

Resolution

Locating Global Approvals via the Console:

  • The two most common ways to locate Global Approvals would be through the use of the File Rules or the File Catalog.
  • If the total quantity (or bulk removal) is desired, use the File Rules method. 
  • If additional search criteria is required (ex: specific File Path) use the File Catalog

File Rules

  1. Log in to the Console and navigate to Rules > Software Rules > Files
  2. Set the Saved View to (none)
  3. Click Show Filters > Add filter > Type: Approval
  4. Click Apply
    • The Item count will show the total Global Approvals (ex: Showing 25 out of 434 item(s))
    • Add other filters as desired, ex: Date Modified
    • Adjust any Global Approvals as necessary.

File Catalog

  1. Log in to the Console and navigate to Assets > Files > File Catalog
  2. Set the Saved View to Approved Files
  3. Click Show Filters to add any necessary Filters (ex: First Seen Path)
    • The use of "like" is very taxing on SQL Server and may result in the Console returning Database timeout expired messages.
    • If possible avoid contains, begins with, ends with in favor of more specific filters.


Locating Global Approvals via SQL Query:

  1. Run SQL Server Management Studio as the Carbon Black Service Account.
  2. Click New Query and execute the following: 
    USE das;
SELECT First_Created, Last_Updated, First_Seen_Name, First_Seen_Path, Publisher_or_Company, Global_State, State_Source, Hash, description from dbo.AntibodiesGUI (nolock) WHERE Global_State='Approved';
  3. Review the total returned rows for the quantity of Global Approvals.
  4. If desired, use the resulting Hash in the Console's File Rule search to adjust any related Global Approval.

 

Locating Global Approvals via Command Line:

  1. Use dascli or b9cli to issue the status command 
    Windows:
    "C:\Program Files (x86)\Bit9\Parity Agent\dascli.exe" status

    Linux
    "/opt/bit9/bin/b9cli" --status

    macOS
    "/Applications/Bit9/Tools/b9cli" --status
  2. Locate the Cache Information section and review the total number of Global Approvals, example: 
    Cache Information
        ...
        Global Approvals:  700 (696 Active)
        Global Bans:       496 (496 Active)

Additional Information

Powered by Wolken Software