Carbon Black App Control security policies have an Advanced Setting, which is enabled by default.

This setting causes unapproved files that are discovered while Carbon Black App Control Agent is in a policy whose Enforcement Level is Low or None (Visibility) to be locally approved when the policy makes a transition to Medium or HighEnforcement.

Automatic local approval of unapproved files allows you to install new files while in Low Enforcement and then change to a more restrictive Enforcement Level without restricting the execution of the files that existed at the time of transition. Files that you explicitly ban remain banned. Unapproved files that are discovered while in Medium or High Enforcement remain unapproved during transitions to and from any Enforcement Levels.

You can disable this feature on a policy-by-policy basis to increase security against unwanted execution of unapproved files already on an agent before the transition. Disabling the feature might also cause more blocks of non-risky software after the transition. If you do not plan to enable automatic local approval, consider other bulk approval methods that can reduce the number of individual files you must approve.

Note: Enforcement level changes can occur because a computer changes policy or because the enforcement level of the policy changes. If a computer changes policy, it is the setting in the policy it begins in, not the policy it changes to, that determines whether the approval-on-transition takes place.