Prompt notifiers tell the user what the attempted action was and why it was interrupted, but also give the user the option of allowing or blocking the action.

A prompt notifier for an action governed by the File and Path Custom rule

Users see Prompt notifiers under these conditions:

  • When they attempt to execute an Unapproved file on a computer that is in Medium (Prompt Unapproved) Enforcement Level.
  • When they attempt an action that is governed by a Custom (File and Path) Rule, Registry Rule, or Memory Rule, or a rule within a Rapid Config, and that rule is configured to prompt for a decision.

Because they require a response from the user, prompt notifiers cannot be disabled in rule definitions that have Prompt actions, and they should not be disabled for any policy setting that defines a rule that could prompt the user.

Prompt notifiers can include a Justification option, which allows users to send a justification of the choice to allow or block the action before making that choice. For more information about this feature, see Approval Requests and Justifications.

 

A prompt notifier that allows you to enter a justification.

The choices on a prompt notifier depend upon the conditions that caused the block:

  • Block leaves the block in effect, makes no changes in the state of files or devices, and dismisses the notifier.
  • Allow lets the action take place. If it was a blocked execution of an Unapproved file because of Medium Enforcement on the computer, the file is locally approved and allowed to run. It is allowed to run indefinitely if it is a local file. If it is run remotely from a network share or removable device, it is temporarily approved to run for 14 days.

    If an allowed Unapproved file is recognized as an installer, files written by it are locally approved. If it is not recognized as an installer, files it writes are not locally approved.

  • When an action is blocked by a file execution rule, holding down the Shift key activates the Promote button in Mac and Linux and changes Allow to Promote in Windows. Promote ensures that the file runs as a promoted process, meaning that files written by the process will be locally approved. This is useful if the notifier is displayed for an execution attempt on a file that installs other files but is not recognized by Carbon Black App Control as an installer.
  • If the user takes no action on a prompt notifier after 10 minutes, the file is blocked, a block event is recorded on the App Control Server, and the notifier is dismissed. However, any interaction with the dialog (e.g., clicking on it or moving it) will prevent the timeout. For block-only notifiers, see the Notifier Timeout setting described in Add/Edit Notifier Settings .