File reputation approvals rely on the most specific information available for the files known to the Carbon Black File Reputation.
A separate reputation approval rule (global or by policy) is created on the Carbon Black App Control Server for each file that meets the reputation threshold. The scope of a reputation approval is determined by the list of policies on which reputation is enabled. As with other file approvals, reputation approvals can behave like per-policy approvals or global approvals, depending on your reputation settings.
File reputation rules are not listed on the Carbon Black App Control Server, but you can view a list of files approved by reputation. See Views Related to Reputation Approvals.
Unlike other approvals, file reputation approvals are not pushed to endpoints automatically. There are three conditions that cause a reputation-based file approval to be sent to endpoints on which reputation approval is enabled:
- If the Carbon Black App Control Server has a record of a file being blocked on any endpoint and that file is later approved by reputation, the server begins sending the approvals of the file to agents immediately.
- If a user attempts to execute an instance of a reputation-approved file on a computer connected to the Carbon Black App Control Server, and if the server detects that the file satisfies the reputation trust threshold, the server allows the agent to run the file immediately, and also begins sending the approval to other agents.
- If the reputation-approved file is identified as an installer, the Carbon Black App Control Server begins sending the approval of the file to agents immediately.
Even if a file is approved by reputation and not blocked by another rule, until its approval is sent to agents because of one of the cases above, instances of the file can be locally unapproved and can block if the agent computer is disconnected from the server before the approval is distributed.