Carbon Black App Control console users with default Administrator and PowerUser privileges can view and manage approval requests.

In addition, custom User Roles can be created with permission to just view approval requests or to view and manage them. If a console user’s primary activity will be addressing approval requests, that user might want to set the Approval Request page as the Default Starting Page on login. This is done on the User Settings page ( loginname > User Settings).

Requests and justifications submitted by users appear on the Approval Request page.

To view the Approval Requests and Justifications table, select Tools > Approval Requests.

The Approval Requests and Justifications summary page.

Approval Requests Summary

The Approval Requests and Justifications table initially lists all of the open items submitted by users.

The Approval Requests and Justifications table initially lists all of the open items submitted by users. At the top of the page, it includes a Status Summary panel that shows the number of new, open, escalated, closed and unresolved requests over a given period. If you hovering the mouse cursor over a box in the summary, additional information about that status is displayed. These status types will be described later in this section.

The reporting period for the summary is All Time (no limit) by default, but you can choose a different period on the Time Period drop-down menu, and your choice persists until you change it again. The Status Summary panel can be useful for tracking how well you are meeting the stated service level agreements within your company for user requests. In addition, clicking on any of the boxes in the summary filters the Approval Requests and Justifications table to show the requests in that category.

As with other table pages, you can add columns to those shown by default on the Approval Requests and Justifications table. In addition to the information shown in the table itself, details for certain fields are shown when you move the mouse cursor over those fields. This includes the Assessment, Computer, File, Policy, Publisher, and Related Requests fields.

Assessment

The popup information for Assessment shows all of the threat and trust information available for the requested file and its publisher.

 

The overall assessment of the notifier status.

Assessment combines CB Reputation file and publisher trust and file threat values with the verdicts about this file from all connected network security devices. It uses the worst report from the available sources to rate the file. The possible values are:

  • Malicious (Red) – This is the assessment if the CB Reputation file threat or any connector result reports that the file is malicious.

  • Potential Risk (Yellow) – This is the assessment if the Carbon Black App Control file threat or any connector result reports that the file is a potential risk, or if the Carbon Black App Control file trust is zero.

  • Potentially Clean – This is the assessment if the CB Reputation file trust is between 1 and 6 or the publisher trust is low or medium.

  • Clean (Green) – This is the assessment if the CB Reputation file threat or connector results are clean, or if the publisher trust is high, or if the CB Reputation file trust is 7 or higher.

No assessment is displayed if none of the contributing information is available for the file. Clicking on the Assessment brings up a details screen.

Approval Request Details

The Approval Request Details or Justification Details page shows the complete details for a request or justifications. To find a specific request, you can click Show Filters and use any of the filters in the Filters panel on the Approval Requests and Justifications page.

You also can use the Search box on that page to enter text that matches any of the following:

  • ID
  • Computer Name
  • Requestor
  • File Name
  • Publisher Name
Note: The Search box only matches objects that begin with the characters or string you provide.

To view the details page for one approval request or a justification, on the Approval Requests and Justifications page, click the View Details button next to a request.

The details page for an approval request.

On the Approval Request Details page, you can examine details about the request and the requested file or device. You can edit the request, adding comments and indicating what you did to respond to the request. The Actions menu to the right of the page provides shortcuts to some of the Carbon Black App Control rules you might change if you decide to provide access to the blocked file or device.

The Approval Request Details page is divided into the following panels:

  • The top panel primarily describes the request itself, including the computer and user it came from, and the App Control rules and settings relevant to the request. It also includes the user’s description of the request, and provides fields for the administrator’s response. For a complete description of the fields in this panel, see Approval Request and Justification Details.
  • The Platform Analysis panel is initially blank. If you click the Run Analysis button, the panel shows information about the blocked file or device, the user requesting the approval, and other data related to the request. This is additional basic information about the file and the request, not Carbon Black File Reputation data or the results of an analysis by a connected device. For a complete description of the information provided by this analysis, see Approval Request and Justification Details. You can click Rerun Analysis to update the information.
  • The File Information panel shows the name, hash, prevalence, publisher, state, and (if Carbon Black File Reputation is activated and the file is known) trust and threat level of a file that is blocked. You can click the Analyze button in this panel to get more Carbon Black File Reputation information about the file. For a description of each field in this panel, see Approval Request and Justification Details. Note that for device and write blocks of non-executable files, not all information will be available.
  • The Related Requests panel shows a table of related requests; that is, requests for the same file (by hash) from different users and computers. It appears only when multiple requests have been made for the file referenced in the request details. For a description of features for handling related and duplicate requests, see Managing Duplicate and Related Requests.
  • The Process Information panel shows information about the process that attempted to initiate the action. For a description of each field in this panel, see Approval Request and Justification Details.
  • The Rule Information panel shows information about the rule that blocked an action. If it is a custom, memory, or registry rule, a link is included to the details page for that rule so that you can modify the rule to resolve the request, if you choose. For a description how you can use this panel, see Opening Rule Details from the Rule Information Panel.
  • The Installer Information panel shows information about the installer (if known) that installed a blocked file. For a description of each field in this panel, see Approval Request and Justification Details.
  • The History panel shows any date and time of changes to the approval request, including when it was created, opened, modified and closed. It does not include the history of changes you might make to Carbon Black App Control rules in response to the request.

You can expand and collapse all but the top panel using the arrows next to the panel names.