There are several ways you can confirm that a trusted directory is working, and that files in it are being approved.
To check the status of a trusted directory, on the console menu, click Rules > Software Rules, and on the Software Rules page, click the Directories tab. The table of Trusted Directories shows the status of each trusted directory and the progress of analysis of its contents so far. You can click the View Details button next to a trusted directory to view the details for that directory. The details page can include additional status information.
You also can check the Events page for trusted directory-related events. There are event subtypes that show directory creation and modification activity as well as the results of any file analysis that occurs in the trusted directory.
To verify that the files on the deployment server are being approved, you can choose Approved Files from the Saved Views menu on the File Catalog tab and search for the files you expect to see approved. How long it takes for newly approved files from a trusted directory to display in the Approved Files table depends on the number of files in the directory and the activity on the Carbon Black App Control Server. To update the Approved Files table, use the Refresh Page button on the File Catalog page.
You also can add a filter to the Approved Files view to see all files approved because of trusted directories. On the Add filter menu, click File State Reason, and then complete the filter by choosing is and Trusted Directory from the File State Reason menus.
Tracking Analysis Progress in Trusted Directories
There is a progress indicator in both the rows for each directory in the Trusted Directories table and the Edit Trusted Directory page for a single directory. The Progress field shows the number of “crawl jobs” that have been processed in the directory versus the total number queued there.
Crawl jobs are investigations to discover and analyze files. There are two crawl job types:
-
discovery and enumeration of the contents of a directory
-
a “deep crawl” to discover and enumerate the contents of an archive file – see Installers and Archives in Trusted Directories for a list of file types that are recognized as archives by App Control
The first crawl job in a Trusted Directory is that directory itself. When the top-level directory is crawled:
-
Any individual, non-archive, executables and scripts at the any level are reported to the server and approved (unless banned by another rule) without requiring a crawl job of their own.
-
Any archive files are scheduled as crawl jobs.
-
Any directories are scheduled as crawl jobs.
-
This process is recursive, so, for example, an archive inside another archive is new crawl job.
As you monitor progress for a Trusted Directory, keep in mind that because of the processes described above, the changes in numeric values in the Progress field do not necessarily reflect a linear time progression. Also, as different sub-folders are crawled, the total number of crawl jobs queued might actually increase even if you have not added any files to the directory. The Progress field is cumulative – the numbers do not reset once the queued and completed crawl job numbers match.
Verifying Approval of Windows Packages
For Windows installers, you can verify that App Control recognized and approved the installer in a trusted directory (and so will locally approve files it installs). On the File Catalog tab, the Saved View called Trusted Packages lists installers that are globally approved because they are in a Trusted Directory. This list also includes the App Control Agent installers. Files that are not recognized as installers will not appear in this table.
In the Trusted Packages view, click the View Details button next to a package name to display its File Details page. Click the package name for a table of associated files written by the package.
