Enforcement Level is the protection level applied to computers running the Carbon Black App Control Agent, specified on a per-policy basis. Enforcement Levels, which vary in restrictiveness, affect how file actions are controlled for policy settings.

File-blocking and other control functions in Carbon Black App Control depend on both the Enforcement Level and on more specific policy settings in effect, including policy-specific bans.

In Control mode, you choose High (Block Unapproved), Low (Monitor Unapproved), or Medium (Prompt Unapproved) Enforcement Level from a menu. The other modes, None (Visibility) and None (Disabled), automatically designate the Enforcement Level as None.

Table 1. Enforcement Levels

Enforcement Level

Use when:

High (Block Unapproved)

For the highest protection level, and when it is practical to pre-approve the applications you need and want to run on computers in the policy, use High enforcement.

High enforcement permits only explicitly approved files to run.

Computers on which the application configuration seldom changes – servers or single-purpose systems, for example – are good candidates for High enforcement. For computers with more dynamic application configurations, High enforcement might be usable if you also pre-approve files via trusted directories, trusted users, approved publishers, enabled updaters, or reputation approvals.

Except for files already identified and banned on the Carbon Black App Control Server, all files that exist on computers before you install the Carbon Black App Control Agent are locally approved and permitted to run on that computer under High enforcement.

High enforcement is available to policies in Control mode.

Medium (Prompt Unapproved)

To operate in a condition that prevents unchallenged execution of unapproved files but does not completely block them, use Medium enforcement.

Medium enforcement blocks all Unapproved files from executing but displays a dialog on client computers that lets the user decide whether to run the file. If the user allows the file to run, it is locally approved on that computer and always permitted to run. If an Unapproved file is run remotely from a network share or removable device and allowed by the user, it is temporarily approved to run (the approval remains for 14 days).

PLATFORM NOTE: Some removable or network drives are not recognized by Carbon Black App Control, especially on non-Windows systems. Files run from these drives are treated like local files.

Explicitly banned files cannot run under Medium enforcement.

Medium enforcement is available to policies in Control mode.

Low (Monitor Unapproved)

When you are not concerned about unknown files and only need to block files that you have specifically banned, use Low enforcement.

Low enforcement blocks banned files while allowing users to install software that are Approved or Unapproved (neither banned nor approved). Although Unapproved files are permitted to execute, you can monitor them and respond with emergency lockdown if necessary.

Low enforcement is available to policies in Control mode.

None (Visibility)

To track file activity without blocking it, set the Enforcement Level to None (Visibility).

Visibility mode tracks executable file activity on your computers through Carbon Black App Control’s reporting and asset management features (drift reports, event reports, file inventory, etc.), but enforces no rules. It can be a first step on the way to implementing a more controlled environment.

Click Visibility in the Mode line to choose this level.

None (Disabled)

To stop all enforcement and tracking activities, choose None (Disabled) mode. You might do this if:

  • You are instructed to disable an agent by Carbon Black Support staff so that you can debug a system fault.
  • You plan to remove the App ControlCarbon Black App Control Agent from a computer; a computer must be in None (Disabled) mode before the agent is deleted and the computer is removed from the App Control Server.

If you disable the agent for a computer, that computer’s file database is deleted from the agent computer but remains on the server for one day. Computers in Agent Disabled mode re-initialize their files as soon as you move them to a policy at another Enforcement Level.

NOTE: An agent in None (Disabled) mode continues to monitor (but not report to the server) certain operations to avoid gaps in file and process information if the agent is later brought back into an active mode. This normally requires a very minimal amount of resources on the agent computer, although if an extremely large number of writes are performed, the impact may be noticeable.

Click Disabled in the Mode line to choose this level.