When the Carbon Black App Control Agent is installed on a computer for the first time, the computer goes through an initialization process during which all files present on that computer are locally approved unless they are already globally approved or banned.

The files are allowed to run on that computer, regardless of its Enforcement Level. Local approval has no effect on the global state of the files, however. Because files present during agent initialization are locally approved, you can set up a computer with the files it needs to run, saving global decisions about these files for after you have used Carbon Black App Control to collect more information about the files and computers on your network.

Files that appear on a computer after Carbon Black App Control Agent initialization, if not explicitly banned or approved, are assigned Unapproved state. Unapproved files are allowed to run on computers running in Low Enforcement and (with user intervention) Medium Enforcement, but they are not allowed to run on computers in High Enforcement.

You can specify that a particular computer can run a new application without approving it for other computers on your network. You can also change the state of a file from Unapproved to Locally Approved on one or more computers before putting those computers into High Enforcement. To accomplish tasks like these, Carbon Black App Control offers the following options:

  • A per-policy ability to make certain unapproved files Locally Approved when a computer makes a transition to a more secure Enforcement Level.
  • Local approval of individual files on a specific computer.
  • Local approval of all unapproved files on a specific computer.
  • Temporary reassignment of a computer in High or Medium enforcement to the Local Approval policy, during which any files that are installed are locally approved.
  • Designation of files as installers even when Carbon Black App Control analysis did not identify them as such, and vice versa; local approval of an installer also locally approves all of the files it installs.
Note:

  • You cannot use any of these methods to locally approve a file that has been globally banned or that is banned by policy on the computer with the file. You also cannot remove local approval for a file that has been globally approved or that is approved by policy on the computer with the file.

  • Certain approval methods such as approving a publisher make all instances of a file locally approved. See Approving or Banning by Publisher for details on how publisher approvals affect file state.

  • You must have full Suite licenses (Visibility and Control) to be able to reassign a computer to Local Approval policy. Sites with only Visibility licenses cannot perform the reassignment.