Version

7.2.x

Issue

After explictly approving a banned file, the file is still showing up as banned.

Symptoms

You may still see blocks or would-have-blocked report events for files that have been approved.

Cause

It is possible in some circumstances that the file ban was done for one hash type, and the approval was done for another. In this situation, the ban will take precedence. For example, if the original ban was based on the md5 hash, but the approval was done for the sha256 hash, the file will still be considered banned.

Solution

To check to see if a file still has a ban for any of its hashes, do the following:

Go to Assets > Files and search for the file name. Look at the file details and make a note of the 3 hash values.

Go to Rules > Software Rules > Files, and then use the following Filter:

     File or Hash contains <md5 hash value>

                                      or <sha1 hash value>

                                      or <sha256 hash value>

If there are any rows returned with Type = Ban or Type = Ban (Report Only), go to Edit File Rule, change the Rule Type to Approval, and Save.  That will completely remove the ban.