logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Approval / Software Rule Not Working As Expected

App Control: Approval / Software Rule Not Working As Expected

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Symptoms

  • An Approval Method (Custom Rule, Publisher Approval, Global Approval, etc) was created.
  • Agent continues to enforce Execution Blocks.

Cause

  • The Process, File Path, or User in the Custom Rule are not specified correctly.
  • Incorrect Approval Method being attempted (Example: File Creation Control is set for Allow instead of Approve, or attempted when the files are already written)

Resolution

  1. Confirm the Agent shows as Connected & Up to Date in the Console > Assets > Computers
  2. Navigate to Reports > Events:
    1. Use the Saved View: Blocked Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
    2. Use the Saved View: New Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
  3. Confirm the details of the Software Rule (Custom/Rapid Config) accordingly:
    • Verify no extra characters, such as a trailing space in any of the fields.
    • Verify wildcard formatting or macro formatting.
    • Use dascli testpattern to validate the File & Process paths accordingly.
    • If the Rule Type is File Creation Control: Compare the Custom Rule against the relevant Events for New Unapproved File.
    • If the Rule Type is Execution Control > Allow: Compare the Custom Rule against the relevant Events for Execution Block.
    • If the Custom Rule has a Specific User/Group set, try changing to Any User.
  4. If using a Publisher Approval, confirm the reason returned in the Description of the Block Event.
  5. Try Resending All Rules to the Agent.

Additional Notes

  • File Creation Control Rules are not "retroactive" and will need to be in place before the files are written in order for the Agent to issue a Local Approval.
  • In some instances a Kernel Exclusion or Performance Optimization Rule may conflict with a File Creation Control Rule and an Execution Control Rule may be required.
  • If the issue persists, collect the following diagnostics and open a case with Support providing the CSVs collected in Step 2 above as well as the diagnostics.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-20-2020
Views:
1487
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.