If you have a list of hashes for files, you can import the list in a text file as input to the console and change the state of these files in one operation. You can change the file state to Approved, Banned, or Ban (Report Only), and you can do this for some or all policies.
The requirements and recommendations for approving or banning lists of hashes are:
- The file containing the hash list must be accessible to the Carbon Black App Control Server.
- The file must contain a list of MD5, SHA-1, or SHA-256 hashes, with only one hash per line.
- Use only one hash type per file; mixing types in one file can cause unpredictable results.
- You must take the same action on all files on the list; that is, you must approve the whole list, ban the whole list, or create a report-only ban for the whole list.
- On some older versions of Internet Explorer with Advanced Security Settings, you must make the root URL of your Carbon Black App Control server, https://<your server name>/, a trusted site in Internet Options – Security – Trusted Sites – Sites. Otherwise, bulk hash files cannot be processed. See the VMware Carbon Black App Control Operating Environment Requirements for this release for a list of supported browsers.
- Do not navigate away from the page until the Upload Hashes page shows that the process is complete. If you do navigate away, processing of the hashes is interrupted. In this case, you can upload the file again, and any hashes not yet approved or banned are processed.
Create Approvals or Bans for a List of Hashes
To create approvals or bans for a list of hashes, perform the following procedure.
When you use this method to approve or ban a list of files by their hashes, each file appears as a separate rule, but the rule name is the same for each.
Procedure
- Copy or move the file containing the hashes to a location accessible to the Carbon Black App Control Server.
- In the console menu, click Rules > Software Rules.
- Click the Files tab. The File Rules page opens with a list of Approved and Banned files.
- Click the Import button.
- Enter the rule parameters as follows:
- Enter the
Rule Name
as you want it to appear on the File Rules page. - Use the Browse button to locate the file containing the list of hashes and click Open in the Choose file dialog box. The pathname to the file containing the hashes appears in the File name box.
- (Optional) Enter a description for the rule.
- Choose Approve, Ban, or Ban (Report Only) on the Rule Type menu.
- Make the rule effective for All policies or Selected policies.
- Enter the
- When you are satisfied with the rule parameters, click Upload. A two-column progress table displays as the hashes are processed, reporting the success or failure of the rule for each file and informing you when hashes on the list are already in the selected state.
- On the console menu, click Rules > Software Rules. On the Files tab of the Software Rules page, the hashes you created approvals or bans for display in separate rows in the table with the same
Rule Name
. After rules have been created for all files on the list, each rule can be modified individually.