The File Instance Details page shows information about a file instance on a computer plus some of the global file information on the File Details page.
In any table showing file instances – for example, the Files on Computers page or Find File Results – you can click the View Details button to open the File Instance Details page.
Many File Instance Details fields are identical to those on the File Details page (see File Details Page) and you can take many of the same actions. The following table shows the additional fields that are available on the File Instance Details page and in the Files on Computers table. On the details page, these appear in the top panel, which is labeled Details for file on computer: <computername>.
| Field |
Description |
|---|---|
| File Instance Details: File on computer panel |
|
File Name |
File name of this instance. |
|
|
Exact time this instance was created in its current location, displayed in the following format: MM DD YYYY hh:mm:ss(AM/PM). |
|
|
Path of the this file instance. |
|
|
Name of the computer that this instance is on. |
|
|
Platform (Windows, macOS) of the system the instance is on. |
|
|
Name of the user who was logged in when this file was created. |
|
|
The local state of the file instance (Unapproved, Approved, Banned, Deleted). If the local state is Unapproved, you can choose Approve Locally on the Actions menu. If it is Approved, you can Remove Local Approval. If it is Banned, you cannot change it. |
|
|
File-state metadata for use by VMware Carbon Black Support engineers. See Local State Details. |
|
|
If this file did not have its own certificate but was indirectly signed through a detached certificate, this field displays and shows the subject name from the certificate. |
|
|
If this file did not have its own certificate but was indirectly signed through a detached certificate, this field displays and shows the name of the publisher. Some publishers distribute updates as collections of unsigned files together with a catalog that contains hashes of all indirectly signed files and is itself signed. Carbon Black App Control can use these catalogs to verify publishers and allow publisher-based approval of files that are signed in this way. |
|
|
If there is a detached publisher, these options are the same as for Publisher State: Approved, Approved by Policy, Banned, Banned by Policy, Unapproved. |
|
|
Indicates whether this file instance has been executed. |
|
|
Indicates whether this file instance was among the files present on the computer when the Carbon Black App Control Agent was installed or whether it appeared after installation. |
|
(in Details)
(in Files on Computers) |
Indicates whether the file is a top-level file; that is, one that was not installed by or copied from another file. On Windows systems, files that were discovered during initialization can be later assigned top-level status if they are discovered to be installers. |
|
|
Indicates whether this file instance has been deleted from the computer it was on. This is a temporary state immediately after file deletion and before it is removed from the database for this Carbon Black App Control Server. |
|
|
File that wrote the current file. If this is a top-level file, there is no root file and the name is (none). |
| Fields in table only | |
|
|
Shows an overall assessment of the risk of this file, combining file threat, file trust, and publisher trust from all available sources. |
|
|
For the computer on which the file appears, displays the optional Computer Tag if provided. |
|
|
The IP address of the computer on which the file appears. |
|
|
The operating system of the computer on which the file appears. |
|
|
The Carbon Black App Control security policy of the computer on which the file appears. |
