Environment

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions

Symptoms

• Known good software being blocked.
• Approval Request for known good application

Cause

• No approval mechanism in place
• Misconfigured policy rule
• Out of date Configlist (CL Version)
• Rapid Config Rules
• False Positive Reputation
• Invalid Publisher Certificate Chain
• Cache Corruption on the local Agent

Resolution

1. Determine why the block occurred.
   • What rule is listed on the events page for the block event?
   • Is there a software rule in place that should be approving the file? (File Rule, Custom Rule, Trusted Directory, etc)
     • Yes
       • Verify the path,process, user, and policy match
       • Verify the Agent is showing as the most recent CL Version
       • If publisher approvals are being utilized, confirm the validity of it
     • No
       • Review our custom rules best practice documentation
         • Cb Protection Custom Rules Best Practices, Tips and Tricks.pdf
         • Common Practices for Cb Protection on Microsoft Servers: Exchange, SQL Server, and Domain Controlle...
         • Cb Protection Deployment Strategies for Code and Application Developers.pdf
2. For Unanalyzed Blocks review:
   • App Control: Agent Configs Commonly Used for Unanalyzed Blocks, Unhashed Blocks, & Timeouts
3. If none of these options have resolved the issue then collect the following when opening a case with Support:
   • Collect the Agent Historical Logs.
   • Collect a CSV of the relevant Block Events from one endpoint with the issue.

Related Content