Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Timing of local approvals after deletion of files

Timing of local approvals after deletion of files

Since this question comes up every now and again, here it is with the answer:

Q: If a file is deleted or obfuscated from a local machine, how long will the local approval stay in the endpoint's cache and Bit9?

A: There are two types of local approvals in terms of how Bit9 categorizes them: A "Normal" Digital Antibody (dab for short) and a "Priority" dab.

A priority dab is directly traceable to an event like initialization, manual approval of a file from the console or dascli, etc.  Priority dabs have a default expiration time of 14 days if the approved file is deleted.

A normal dab is created "indirectly", the most common being a rule.  So if you create a rule that says "Locally approve all files signed by publish TRUSTME, INC.", then it would be a normal dab.  Since the rule to approve it is still there, there is not nearly the need to retain the approval, so the default expiration time is 3 days.

Both of these time periods can be changed, but changing them should be considered carefully, so please contact Bit9 support if you need to change these values.

Matt Larsen

Bit9 Solution Architect

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: