Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Approval / Software Rule Not Working As Expected

App Control: Approval / Software Rule Not Working As Expected

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Symptoms

  • An Approval Method (Custom Rule, Publisher Approval, Global Approval, etc) was created.
  • Agent continues to enforce Execution Blocks.

Cause

  • The Process, File Path, or User in the Custom Rule are not specified correctly.
  • Incorrect Approval Method being attempted (Example: File Creation Control is set for Allow instead of Approve, or attempted when the files are already written)

Resolution

  1. Confirm the Agent shows as Connected & Up to Date in the Console > Assets > Computers
  2. Navigate to Reports > Events:
    1. Use the Saved View: Blocked Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
    2. Use the Saved View: New Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
  3. Confirm the details of the Software Rule (Custom/Rapid Config) accordingly:
    • Verify no extra characters, such as a trailing space in any of the fields.
    • Verify wildcard formatting or macro formatting.
    • Use dascli testpattern to validate the File & Process paths accordingly.
    • If the Rule Type is File Creation Control: Compare the Custom Rule against the relevant Events for New Unapproved File.
    • If the Rule Type is Execution Control > Allow: Compare the Custom Rule against the relevant Events for Execution Block.
    • If the Custom Rule has a Specific User/Group set, try changing to Any User.
  4. If using a Publisher Approval, confirm the reason returned in the Description of the Block Event.
  5. Try Resending All Rules to the Agent.

Additional Notes

  • File Creation Control Rules are not "retroactive" and will need to be in place before the files are written in order for the Agent to issue a Local Approval.
  • In some instances a Kernel Exclusion or Performance Optimization Rule may conflict with a File Creation Control Rule and an Execution Control Rule may be required.
  • If the issue persists, collect the following diagnostics and open a case with Support providing the CSVs collected in Step 2 above as well as the diagnostics.

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-20-2020
Views:
1462
Contributors