The following table defines some of the key terms you need to understand Carbon Black App Control and its features:
| Term | Definition |
|---|---|
| Carbon Black App Control Server |
Computer running the Carbon Black App Control Server software on a supported Windows platform. |
| Carbon Black App Control Agent |
Agent software installed on computers on your network; the agent runs independently but reports to the Carbon Black App Control Server. |
| Carbon Black App Control Console |
The console, which can be displayed remotely with a web browser, is the user interface and management center for all Carbon Black App Control Server management activities. |
| Enforcement Level |
The protection level applied to computers running the Carbon Black App Control Agent. A range of levels from High (Block Unapproved) to None (Disabled) enable you to specify the level of file blocking required. |
| Computer |
Computer that runs the Carbon Black App Control Agent. Each Carbon Black App Control-managed computer is protected by the agent, which both provides information and receives protection updates when it is connected to the Carbon Black App Control Server. The Carbon Black App Control Agent can be installed on both physical and virtual machines. |
| Template |
Computer that has the Carbon Black App Control Agent pre-installed and will be used to clone one or more computers. |
| Policy |
Each computer protected by Carbon Black App Control is assigned a policy that defines its security characteristics. Computers with the same security requirements can share the same policy. |
| Computer Initialization |
File inventory initialization process for new computers that come online to the Carbon Black App Control Server. During initialization, each file on the fixed drives of the new machine is evaluated and classified by the server. |
| Login Account |
To use the Carbon Black App Control Console, users must have a login account. Role-based accounts tailored to users’ responsibilities determine what they can do on the system. Users of computers running the Carbon Black App Control Agent do not need console accounts. The server requires no direct interaction with users of computers it monitors and protects. |
| Executables and Scripts |
An executable is any file that contains executable code. Carbon Black App Control examines the content of each unknown file that appears on a computer in its network, determines whether it contains executable code, and, if so, categorizes it according to executable type. Carbon Black App Control also has rules that identify and manage scripts, and you can define additional rules for script identification. The Carbon Black App Control Server keeps an inventory of executables and scripts, and provides rules that control whether they are allowed to run. The files that are inventoried are sometimes referred to as “interesting files.” Files not identified as executables or scripts are not inventoried, although you might be able to control access to them with custom rules, such as file integrity rules. |
| File State |
The Carbon Black App Control classification that determines how executables are tracked and permitted or not permitted to be run. Top-level file states includes approved, banned, and unapproved (neither approved nor banned) states. Files have global and local files states, and these may vary in some cases. |
| Software Approval |
Carbon Black App Control features for approving legitimate software. Approved software is allowed to run without user or administrator intervention, even on computers “locked down” under high protection. |
| Reputation |
Information that provides guidance about whether a file should be approved or banned. Carbon Black File Reputation, when integrated with the Carbon Black App Control Server, provides reputation data for a large database of files and file publishers. |
| Notifier |
A dialog box or transient panel that can appear when a Carbon Black App Control rule blocks an action. Notifiers may contain information about why the action was blocked, and in some cases give the user the option of allowing the action or requesting approval from an administrator. Notifiers are configured and saved by name, and can be attached to different rules. |
| Approval Request |
A request by a user whose action was blocked for access to a file or device. Requests can be handled informally through email or websites outside of Carbon Black App Control, or using the approval request management feature in notifiers and the Carbon Black App Control Console. |
| Drift Report |
A report that can help determine how far one or more computers have “drifted” from a baseline of files (by having files added, removed or changed). This can help determine level of compliance with company policies on acceptable files, and also identify files that should be approved and added to an updated baseline. |
| Live Inventory |
Carbon Black App Control's near-real-time database of all files of interest on all local drives on all computers running the Carbon Black App Control Agent (removable and remote drives are not tracked). |
| Baseline and Snapshot |
A reference point that can be used to determine drift of computers’ file inventory from the reference, which might indicate potential risk for those computers. A baseline can be a named table of files, called a Snapshot, or it can be the current set of files on a reference computer. |
| Indicator Set |
Groups of rules called “indicators” that aid in detecting particularly threatening or suspicious activity on systems reporting to your server. |
| Health Indicator |
A rule that checks whether certain parameters on the Carbon Black App Control Server and SQL Server meet the operating requirements and reports its results to the System Health page. |
| Event |
Records of actions related to Carbon Black App Control activities, including files blocked, unapproved files executed, system management processes and actions by console users. Events may be examined in the console and exported to other analytical tools such as Syslog servers or data analysis systems. |
| Event Rule |
A rule that takes a particular action when a specified event is recorded on the Carbon Black App Control Server. Actions include changing file states, uploading files from endpoints, and sending files to third-party detonation engines. |
| Unified Management |
In an organization with multiple Carbon Black App Control Servers, Unified Management allows one server to control many common management functions for itself and any of the other connected Carbon Black App Control Servers. |
