Adding to the approved list approves the presence and actions of specified applications. Adding to the approved list is global in its effects and applies to all policies attached to a particular version of an application.
To approve the presence and actions of an application only on a specific device, use permission rules instead.
- Routinely update your approved applications to account for new versions. Permission rules do not need to be updated as the permission is added by path or application name.
-
You can add to the approved list from the Reputation, Investigate, Alerts, or Process Analysis pages.
- This feature is not available for customers with standalone Carbon Black Cloud Enterprise EDR.
Benefits of approving IT tools and certs
-
Minimized performance impact when IT tools drop large amounts of new code that are immediately executed.
-
For IT tools, no interference with new code execution. The dropped code is not blocked, even with stricter preventative policy rules in place.
-
For certs, no blocking on initial execution of files signed with specific certificates.
-
Adding to the approved list is not absolute to prevent exploitation. Deferred analysis of new code occurs in the background as it executes. If files are known malware, configured policy enforcement rules act on them after initial execution.
Reputations that supersede approved IT tools and certificates:
-
Company Black
-
Company White
-
Known Malware
-
PUP Malware
-
Suspect Malware
-
Trusted White
Using wildcards
When adding the path, you can use wildcards to target certain files or directories. Be as specific as possible when approving certs because using wildcards can lead to incidentally approving malicious software that appears to be signed by a trusted certificate authority.
Wildcard | Description | Example |
---|---|---|
* | Matches 0 or more consecutive characters up to a single subdirectory level. | C:\program files*\custom application*.exe Approves any executable files in: C:\program files\custom application\ C:\program files(x86)\custom application\ |
** | Matches a partial path across all subdirectory levels and is recursive. | C:\Python27\Lib\site-packages** Approves any files in that directory and all subdirectories. |
? | Matches 0 or 1 character in that position. | C:\Program Files\Microsoft Visual Studio 1?.0** Approves any files in the MS Visual Studio version 1 or versions 10-19. |