Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How to add a Certificate to the Approved List

Endpoint Standard: How to add a Certificate to the Approved List

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud macOS Sensor: 2.0.x.x and Higher
  • Carbon Black Cloud Windows Sensor: 2.0.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Objective

Provide steps for adding a Cert to the Approved List

Resolution

From the Investigate Page

  1. Search for Events tied to desired application or hash
  2. Select the desired Event to expand Event details
  3. Click desired App tab (Parent App, Selected App, Target App)
  4. Signed By field reflects Signer of file, CA reflects Certificate Authority
  5. Click on Add button to right of Signed By to add the Cert (Signer+CA) to Approved List

From the Reputation Page

  1. Locate Signer and Certificate Authority (CA) for desired file (can be done via Enriched Event data or directly on endpoint)
  2. Log into Carbon Black Cloud Console
  3. Go to Enforce > Reputation
  4. Click on the +Add button
  5. In the modal/pop-up, select Type: Certs
  6. Enter Signer in "Signed By" field (required)
    Signed By: Google Inc
  7. Enter CA in Certificate Authority field (not currently required)
    CA: VeriSign Class 3 Code Signing 2010 CA
  8. Add details to Comment field as desired
  9. Click Save to finish adding Cert to Approved List

Additional Notes

  • It is currently only possible to add a Signer/CA as an Approved List item, not a Banned List item
  • This functionality is not currently available for Sensors on Linux distros
  • To see the ability to add a Signer/CA to the Banned List, please upvote the following: Add banning by certificate

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-10-2019
Views:
9859
Contributors