Just wondering if anybody could confirm the product behaviour for the Solidcore rule to allow binary by checksum based on our observations below. Does Application Control dynamically update its local whitelist to include this binary on the first time that it executed on a protected system (assuming the binary was copied to the system post the initial solidification process)?
We have a standardise set of ePO managed policies applied to all systems that contains a Solidcore rule allow binary by checksum: e.g. support_tool.exe (1ddd4994b16cfb89d89c1b08cb3a7aef8ebfeb15)
During initial solidification the support_tool.exe file is not present on the system and therefore not included in the local inventory/whitelist - confirmed via the ePO Solidcore Inventory reports
At some point in time support_tool.exe (chksum: 1ddd4994b16cfb89d89c1b08cb3a7aef8ebfeb15) is copied to a protected system and executed (this is via an automated process)
The next time the support_tool.exe is copied to a protect system a File Write Denied error is encountered, suggesting that support_tool.exe is being protected by MAC
On next inventory update (differential) the system reports support_tool.exe as part of its inventory/whitelist