Local approvals initiated by an Event rule happen immediately (or as soon as an agent connects to the server). However, unlike most other approvals, Event rule global or by-policy approvals are not pushed to endpoints automatically. Like Reputation rules, Event rules have three conditions that cause a file approval to be sent to endpoints.
The conditions are as follows:
- If the App Control Server has a record of a file being blocked on any endpoint and that file is later approved by event rule, the server begins sending the approvals of the file to connected agents immediately.
- If a user attempts to execute an instance of an event-rule-approved file on a computer connected to the App Control Server, the server will allow the agent to run the file immediately, and also will begin sending the approval to other agents.
- If an event-rule-approved file is identified as an installer, the App Control Server begins sending the approval of the file to agents immediately.
Even if a file is approved by Event rule and not blocked by another rule, until its approval is sent to agents because of one of the conditions above, instances of the file may be locally unapproved and may block if the agent computer is disconnected from the server before the approval is distributed.
If a file was approved globally or by-policy using an event rule and then an Event rule removes that approval, the approval for that file is eliminated for connected computers, and the file state in the File Catalog reverts to unapproved. However, if an instance of this file was executed during the time it was approved by event rule, all instances on computers connected at that time remain locally approved.