Adding specific certs to your company approved list can eliminate unwanted alerts or lower the relative threat level for such alerts.

Approve certs to assign an initial elevated trust to signed code by specific trusted certificates. To use this functionality, a file must be signed and verified by a valid certificate and the certificate subject and authority must be configured in the Cert rule.
Note: This feature is not available for customers with standalone Carbon Black Cloud Enterprise EDR.

This procedure uses the Reputation page; however, you can also add to the Approved list on the Investigate, Process Analysis, and Alerts pages.

Prerequisites

  • For a file to be approved by a certificate, the signature on the file must be trusted by the operating system. This can require ensuring that the root and any intermediate certificates that are needed to construct a full certificate chain for both the code signing certificate chain and the timestamp certificate are present in the local machine's certificate store. Carbon Black Cloud sensors look in the local machine certificate store only, and not in individual users certificate stores.

    Files that lack a timestamping chain that were introduced to the system during the validity period of the code signing certificate remain approved even if that certificate is no longer valid. If a file that lacks a signature time is introduced to the system outside of the validity range of the certificate, then it is not trusted and cannot be approved by the certificate. You can issue a repcli find <executable> command to check the signature and other file-related information. For more information about RepCLI, see Managing Sensors by using RepCLI.

  • Learn more About Adding to the Approved List, when to use it, and how it differs from permission rules.
  • In addition, see: Expiration of Approved Certificates.

Procedure

  1. Click Enforce > Reputation.
  2. Click Add and select Certs as the type.
  3. Enter the certificate under Signed by.
  4. Enter the Certificate Authority.
  5. Enter Comments and then click Save.

Results

Important: Certs added to the approved list are assigned the LOCAL_WHITE reputation and are not stalled for static analysis or cloud reputation as they are executed.