Adding specific certs to your company approved list can eliminate unwanted alerts or lower the relative threat level for such alerts.

Approve certs to assign an initial elevated trust to signed code by specific trusted certificates. To use this functionality, a file must be signed and verified by a valid certificate and the certificate subject and authority must be configured in the Cert rule.
Note: This feature is not available for customers with standalone Carbon Black Cloud Enterprise EDR.

This procedure uses the Reputation page; however, you can also add to the approved list on the Investigate, Process Analysis, and Alerts pages.

Prerequisites

Learn more About adding to approved list, when to use it, and how it differs from permission rules.

In addition, see: Expiration of Approved Certificates

Procedure

  1. Click Enforce > Reputation.
  2. Click Add and select Certs as the type.
  3. Enter the certificate under Signed by.
  4. Enter the Certificate Authority.
  5. Enter Comments, and then click Save.

Results

Important: Certs added to the approved list are assigned the LOCAL_WHITE reputation and are not stalled for static analysis or cloud reputation as they are executed.