Environment
- Cb Defense Web Console: All Versions
- Cb Defense Sensor: 2.0 and higher
- Microsoft Windows: all supported versions
Question
I have created an IT Tool / Certificate whitelist for a known trusted application. Why does the application sometimes get blocked initially, but when I try to run it again it runs fine?
Answer
- There are some instances where the certificate check of an application can be delayed because the application cannot be accessed. As the application cannot be verified, it will have an effective reputation of "not_listed" or "unknown" applied. If there is a specific policy rule in place to block "not_listed" or "unknown" applications the block rule will deny or terminate the action.
- In these cases where the file could not be accessed the sensor will continue trying to validate the application until a positive identification can be made. This is why a second run of the same application is usually successful.
Additional Notes
- If the application is known and trusted, a hash whitelist will bypass the certificate check.
- If the application generates multiple files a bypass rule to allow and log may be appropriate.
Related Content
Cb Defense: Why isn't the reputation updated to LOCAL WHITE?
Cb Defense: Reputation Priority
Cb Defense: How to Utilize Certs Whitelist Feature
Cb Defense: How to Utilize IT Tools Whitelist Feature