The table below shows complementary Carbon Black App Control features that provide visibility into what files are on your computers, give you control of unauthorized software and hardware, and allow flexible management of computers at your site:

Table 1. App Control Features



Live File Inventory and Baseline Drift Tracking

Carbon Black App Control can track all files of interest on all computers all the time. This near-real-time inventory means that Carbon Black App Control can provide a wide variety of information about these files, and about the rate and nature of change across your organization. One benefit of this information is Baseline Drift Reports, which report changes in the file inventory on one or more computers. Another is the ability to locate all instances of a specified executable file that exist on the (fixed) local drives of managed computers.

Carbon Black File Reputation

File Identification & Reputation Services

Carbon Black File Reputation identifies and classifies files. It assigns a Trust Factor to files based on a variety of sources, including the source of the file, its prevalence on computers running the Carbon Black App Control Agent, results of anti-virus scanning, and whether it has a legitimate digital certificate. You can automatically approve files or publishers that meet a certain trust threshold.

Event Tracking

Carbon Black App Control keeps an up-to-date database of file-related events, as well as other activities involving the Carbon Black App Control Server or managed computers. From this data, you can view predefined or custom reports that can give visibility into changes to your environment and significant Carbon Black App Control Server operations. You also can trigger alerts based on certain events. Events can be exported to Syslog for integration with SIEM systems, to data analytics systems, and to CSV files.


Active Carbon Black App Control Agents can be operated in one of two modes: Visibility mode provides the file and event tracking features of Carbon Black App Control, but does not enforce file or device bans or other security restrictions. Control mode blocks banned files and allows you to choose one of three Enforcement Levels to determine how unapproved files (i.e., files neither approved nor banned) are treated. Control policies can be configured to enforce other file and device security rules.

Enforcement Levels and Policies

Enforcement Levels and policies work in combination to control file and device activity on specific computers. Depending upon the Enforcement Level you choose, execution of banned files as well as unapproved (neither approved nor banned) files can be blocked. Enforcement Levels range from very restrictive to no enforcement.

Policies are rule sets that include an Enforcement Level and other settings, such as the ability to block or control the behavior of some removable devices on Windows and Mac computers. All computers managed by Carbon Black App Control have an assigned policy.

Flexible and Emergency Lockdown

You can run different groups of computers at different security levels. For example, you may choose to run some computers at High Enforcement Level, which prevents computers from executing unapproved files that were not present when the Carbon Black App Control Agent was installed, while allowing other computers greater privileges.

If necessary, you can implement an emergency lockdown to move all computers to High Enforcement during attacks or high threat periods. You can return the systems to their previous security level when you believe the threat is contained.

File Integrity Monitoring and Control

Carbon Black App Control allows you to create custom software rules that apply to specified files or paths. These include File Integrity rules, with which you can monitor, and if you choose, restrict modifications to a specific folder or folders matching your specification.

Software Rules: Bans

Bans enable you to specify files (by name or hash) to be blocked for some or all computers at your site. You can ban files individually, and also can ban all files identified on a list of hashes you provide. You also can ban all files from a specified publisher.

Software Rules: Approvals

Several complementary software approval methods enable you to approve legitimate software to run on all computers, on groups of computers (i.e., by policy) or to locally approve software to run on a single computer. You can integrate approval rules with the Carbon Black File Reputation service to automatically approve files meeting a specific Trust level according to analysis by the service.

Registry Rules

You can specify rules to protect specific registry key/value patterns from alteration on Windows computers.

Memory Rules

You can specify rules to protect a process from access or alteration by any (or specified) other process(es) or user(s) on Windows computers.

Rapid Configs

Rapid Configs are sets of rules that can be used to accomplish tasks such as application optimization, operating system and application hardening, and approval of files delivered by software distribution systems.

Device Rules:Approvals and Bans

You can approve or ban file execution and writing on detected storage devices on Windows and Mac computers. You can approve and ban device models or specific, individual devices, and you can apply the rules to some or all computers.

Notifiers and User-Initiated Approval Requests

When a Carbon Black App Control rule blocks file access, you can display a notifier that explains the block to the user. The notifier can provide an optional file approval request method that lets you track and respond to requests directly in the Carbon Black App Control Console.

Detection: Advanced Threat Indicators

You can enable advanced threat indicators that will trigger events when suspicious conditions occur, and you can fine-tune these indicators by creating exceptions for events that you consider benign.

Event-Triggered Actions

You can create Event Rules that specify an action to be performed when a file- or computer-related event occurs that matches filters you define. You also can create an alert that reports when a specified event rule is triggered.

File Deletion

You can delete files on Windows endpoints through the Carbon Black App Control Console and create Event Rules that will automatically delete files reported as malicious.

Integration with Network Security Devices

You can integrate the Carbon Black App Control Server with one or more network security devices or services from third-parties, including Palo Alto Networks.

Access via the Carbon Black App Control A PI

You can use the RESTful API to write code to interact with Carbon Black App Control via custom scripts or from other applications. API code can be consumed over the HTTPS protocol using any language that can create get URI requests, post/put JSON requests, and interpret JSON responses.

Integration with External Data Analyzers

You can export events, file operations data, and file catalog data for use by external analytics products such as Splunk.

System Health Monitoring

You can opt in to System Health indicators that monitor and report on factors affecting the operation of this Carbon Black App Control Server, such as compliance with the operating environment requirements.

Unified Management

If you have more than one Carbon Black App Control Server, you can use Unified Management to designate one server to control many common management functions on any of your connected Carbon Black App Control Servers.