Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Objective
To discuss what the file state "Unapproved (Persisted)" is and its implications, as well as the best practices for handling them.
Resolution
Important Notes:
- Unapproved (Persisted) files are files that have appeared after Agent Initialization and when the machine was in Medium or High Enforcement.
- These are files that were written with no Approval Method in place to issue a Local Approval when the file was written.
- Execution Control Rules will allow files tagged as Unapproved (Persisted) to execute, but will not change the File State to Approved.
To Change the File State:
- Issue a Local Approval of the file from the Console > Assets > Files > Files on Computers.
- Create a File Rule to Globally Approve the file from the Console > Rules > Software Rules > Files.
To Prevent Unapproved (Persisted):
- Custom Rules that use the Rule Type, "File Creation Control" will instruct the Agent to issue a Local Approval when the Agent tracks the file being written.
- File Creation Control Rules are not retroactive, they must be in place before the file is written.
Additional Notes
- Just because a file is Unapproved (Persisted) does not mean it will not execute. Execution Control > Allow Rules will allow the execution of these files.
- Unapproved (Persisted) files will not become Locally Approved when changing Enforcements from Low or Visibility to Medium or High.
- By default, Unapproved files will be issued a Local Approval upon transition (Rules > Policies > relevant Policy > Advanced > Locally approve unapproved files on transition).
- More details on Unapproved (Persisted) files can be found in the User Guide chapter, "File, Publisher, and Application Information".