Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (was CB Defense)
- Carbon Black Cloud macOS Sensor: 2.0.x.x and Higher
- Carbon Black Cloud Windows Sensor: 2.0.x.x and Higher
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Objective
Provide steps for adding a Cert to the Approved List
Resolution
From the Investigate Page
- Search for Events tied to desired application or hash
- Select the desired Event to expand Event details
- Click desired App tab (Parent App, Selected App, Target App)
- Signed By field reflects Signer of file, CA reflects Certificate Authority
- Click on Add button to right of Signed By to add the Cert (Signer+CA) to Approved List
From the Reputation Page
- Locate Signer and Certificate Authority (CA) for desired file (can be done via Enriched Event data or directly on endpoint)
- Log into Carbon Black Cloud Console
- Go to Enforce > Reputation
- Click on the +Add button
- In the modal/pop-up, select Type: Certs
- Enter Signer in "Signed By" field (required)
Signed By: Google Inc
- Enter CA in Certificate Authority field (not currently required)
CA: VeriSign Class 3 Code Signing 2010 CA
- Add details to Comment field as desired
- Click Save to finish adding Cert to Approved List
Additional Notes
- It is currently only possible to add a Signer/CA as an Approved List item, not a Banned List item
- This functionality is not currently available for Sensors on Linux distros
- To see the ability to add a Signer/CA to the Banned List, please upvote the following: Add banning by certificate
Related Content