App Control: Approval / Software Rule Not Working As Expected
Environment
App Control Console: All Supported Versions
App Control Agent: All Supported Versions
Symptoms
An Approval Method (Custom Rule, Publisher Approval, Global Approval, etc) was created.
Agent continues to enforce Execution Blocks.
Cause
The Process, File Path, or User in the Custom Rule are not specified correctly.
Incorrect Approval Method being attempted (Example: File Creation Control is set for Allow instead of Approve, or attempted when the files are already written)
Resolution
Confirm the Agent shows as Connected & Up to Date in the Console > Assets > Computers
Navigate to Reports > Events:
Use the Saved View: Blocked Files (All)
Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
Set the Max Age accordingly from the dropdown.
Click Export to CSV.
Use the Saved View: New Files (All)
Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
Set the Max Age accordingly from the dropdown.
Click Export to CSV.
Confirm the details of the Software Rule (Custom/Rapid Config) accordingly:
Verify no extra characters, such as a trailing space in any of the fields.
File Creation Control Rules are not "retroactive" and will need to be in place before the files are written in order for the Agent to issue a Local Approval.
In some instances a Kernel Exclusion or Performance Optimization Rule may conflict with a File Creation Control Rule and an Execution Control Rule may be required.
If the issue persists, collect the following diagnostics and open a case with Support providing the CSVs collected in Step 2 above as well as the diagnostics.