The Carbon Black App Control Console Home page includes an emergency Lockdown button that changes the Enforcement Level of all agent-managed computers to High.

During an emergency lockdown, the following is true for active agents whose policies do not have any enforcement settings disabled:

  • Banned files are blocked.
  • All Unapproved files that appear after the emergency lockdown are blocked.
  • All existing Unapproved files that remain Unapproved are blocked.
  • Certain files become locally approved, as described below, and can be executed.
  • Computers that were offline when emergency lockdown was initiated are locked down upon reconnection to the Carbon Black App Control Server if the lockdown remains in effect.
  • Lockdown affects all active agents, including those in Visibility Only mode. It does not affect computers whose agents are disabled.

In some cases, locking down a computer causes some Unapproved files to become locally approved. In the Advanced Settings panel of the Edit Policy page, there is a checkbox labeled Locally approve unapproved files on transition from Visibility or Low Enforcement Level to Medium or High . This affects computers whose Enforcement Levels are Low or None when they are moved to Enforcement Levels of High or Medium:

  • If the box is checked, existing Unapproved files that first appeared on a computer when it was in Low (or None) Enforcement Level are locally approved upon lockdown.
  • If the box is not checked, Unapproved files on computers in that policy remain Unapproved after lockdown and are not allowed to run. Console users with the default ReadOnly privileges do not have access to Emergency Lockdown. A login account role must have Manage Computers privileges for its members to perform an emergency lockdown.

WARNING

  • Emergency Lockdown changes only the Enforcement Level of computers.
  • In policies with Advanced Settings of Off or Report Only, computers might not block certain threats even when in lockdown.

Lock Down All Computers

Use this procedure to perform an emergency lock down all computers.

Procedure

  1. From the console menu, choose Home.

    The Home page appears. The default location of the Emergency Lockdown portlet is the bottom right portlet on the page, although you or another administrator may have moved or removed it:

    The Emergency Lockdown portlet showing the Lock Down button

  2. In the Emergency Lockdown portlet, click the Lock Down button. The Lockdown confirmation page appears:
    The lock down confirmation dialog
  3. In the confirmation dialog, click OK to lock down all computers. All agents except those in Disabled mode are locked down. The Home page appears and the Lock down computers button toggles to Restore computers:
    The Emergency Lockdown portlet showing the Restore button
  4. After you resolve the issue that lead to the Lockdown, click the Restore computers button to restore all computers to their former Enforcement Level. The Restore confirmation page appears:
    The restore all computers confirmation dialog
  5. In the confirmation dialog, click OK to restore all computers.