For the designated target, baseline drift reports can provide several different types of data about the computers or files in the report.

The following table describes this information.

Table 1. Basic Drift Values

Term

Description

Drift

The amount of drift measured simply in terms of files added, changed, and (if configured for a report) deleted in the target. Files are identified by their hash value. An added file, a changed file, or a modified file each have a drift value of 1. See Advanced Baseline Drift Report Options for more information about how Carbon Black App Control determines whether a file has been modified.

Weighted drift

A calculation based on the drift value and adjusted by several factors that might increase or decrease the significance of the drift for each file. Among the adjustment factors are trust level, threat level, file type and associations with other files. For example, the weighted drift for files that have valid digital signatures, have high trust, or were installed by files with high trust will be reduced from what it would be without these factors.

Risk

A calculation similar to weighted drift, but adjusted so that files believed to pose no threat show a risk of zero.

% Weighted drift

The percentage of total weighted drift in the current report contributed by the item in a row.

% Risk

The percentage of total risk in the current report contributed by the item in a row.

Other key factors in determining the total drift and risk reported in a baseline drift report are:

  • File Filtering: You can decide which files in the baseline and in the target participate in the comparison. For example, the pre-configured drift reports compare Unapproved files, but ignore Banned or Approved files – you can change this if you choose. There are several other file categories you can include or exclude from the comparison. See the Using Filters in Target and Baseline Definitions and Advanced Options: File Filter Options sections below for more detail.
  • File Comparison Method: By default, if a file hash found in the baseline is also found anywhere in the target, it is considered a matching file, and no drift is reported. This is called the File Content method. The alternative is the File Location method, in which the same hash in different locations in the baseline and the target is considered a drift. See Advanced Options: File Comparison Method for more details.