Table 1. Computer Details (Details page and Computers table)

Field

Description

Computer name

Network name for the computer.

IP address

IP address for the computer. This may be an IPv4 or IPv6 address – if the Carbon Black App Control Server is configured for IPv6, agents will attempt to connect via IPv6 first.

Identifier

MAC address for the computer. (Option in table only)

Connection status

Status of computer’s communication with the Carbon Black App Control Server:

  • Connected – in communication with the Carbon Black App Control Server.
  • Disconnected – not communicating with the Carbon Black App Control Server.

The Computers table also includes a circle icon in the Connection status field that indicates connection and agent status:

The Connected status icon (Blue) – Connected, up to date

The Disconnected status icon (Gray) – Disconnected

The Connected out-of-date status icon (Yellow) – Connected, out of date (agent out of date, requires reboot, or other reasons)

The Template computer icon (Clear with Gray Border) – Template computer

The Connected health check failed status icon (Red) – Connected, health check failed; indicates that the agent needs immediate attention. Collect the Health Check Events for this computer and contact Carbon Black Support. Red may also appear if the agent is unprotected because a reboot is required or the kernel on the system is unsupported.

Health Check

Agent health status. The health check includes a series of tests to see whether the agent is working properly. If the value is Passed, there are no known health issues with the agent on this computer. If the value is Failed, there is an issue with at least one aspect of agent health. In this case, click Health Check Events on the Computers Details page and contact Carbon Black Support.

Note: Health checks run automatically, but if you have addressed an agent problem and want to be sure the agent is healthy, you can force a health check using the Run health check command on the Other Actions menu of the Computer Details page.

Platform

The basic operating system platform of this computer. Possible values are Windows, Mac, and Linux. The System Details tab of the Computer Details page shows additional detail.

Days Offline

If a computer is disconnected, adding this column to the Computers table shows how long it has been disconnected, and allows filtering by number of days.

Upgrade status

Agent upgrade status of this computer. See Agent Upgrade Status for status options. On the Computer Details page, only appears for computers requiring upgrade.

Upgrade error time

If an error occurred on agent upgrade, the time of that error. On the Computer Details page, only appears for computers on which an upgrade was attempted.

Policy status

Status (up-to-date or not, etc.) for the policy protection of this computer. See Agent Policy Status for details.

Description

Optional information about this computer, displayed on the Computer Details page. When entering or editing this text on the details page, click the Update Computer button to save.

Computer tag

Optional text string you can add to identify groups of computers that you might want to get reports about or treat in a particular way. A tag offers an alternative to policies as a way to identify groups of computers. For example, you might want to apply a Low (Monitor Unapproved) policy to all computers in your office but be able to track file activity in more specific reports for computers in tagged subgroups such as sales or accounting.

Tags may be set on the Computer Details page for one computer or on the Computers page Action menu for multiple computers.

Policy

Currently assigned policy for the computer.

Policy Mode

Security mode in which this policy is operating. The choices are Visibility, Control, and Disabled.

Connected Enforcement

Assigned Enforcement Level while the computer is in communication with the Carbon Black App Control Server. To change this setting for this computer and its fellow policy members, edit the policy. If the Enforcement Level is not up to date with changes to the policy on the server, “(out of date)” will be appended.

Virtualized

Indicates whether this computer is a virtual machine (Yes, No). On the Computer Details page, this is combined with Virtual Platform into a single field on the System Details tab.

Virtual Platform

If this is a virtual machine, the virtualization platform used to generate it. Current values are blank, VMware, and Unknown. On the Computer Details page, this is combined with Virtualized into a single field on the System Details tab.

Clone Inventory

For a template computer, shows whether the inventory for clones created from this template includes All Files (including those from the template image) or just New and Modified Files (since creation of each clone). Blank for non-template computers. See Managing Virtual Machines for more details.

Inventory

If this is a virtual machine, shows whether the inventory for this clone includes All Files (including those from the template image) or just New and Modified Files (since creation of this clone). Field is blank for non-clone computers. See Managing Virtual Machines for more details.

Save(button)

Applies changes made to the Description and Computer tag in the General panel of the Computer Details page.

Cancel(button)

Clears unsaved changes made to the Description and Computer tag if you click it before you click the Save button. Page reverts to the settings in effect before you began editing.

 

Table 2. Computer Details page: Tabbed sections
Field Description

App Control Agent tab

CL Version

Configuration List version number indicates synchronization of a computer with server rules. If not current, “(out of date)” appears with the number. Compare the computer’s CL version with the current server CL version on the Computers page. Details pages for many rules also shows the CL version in which the current rule definition was introduced. For use with Carbon Black Support.

Note:

Rarely, you may see this message next to the CL Version:

Agent did receive but is not enforcing all the rules yet.

This means the agent is still processing the rules it received, and some rules may not be fully functional. The message (and the state it represents) disappears within a few minutes.

Debug Level

( Agent Debug Level in table)

Shows current debug level for this agent, indicating the amount of debugging information collected from it. This can be changed on the Advanced menu. For use with Carbon Black Support.

App Control Agent Version

Version number of the agent installed on this computer.

Enabled Trusted Directories

Number of Trusted Directories now enabled on this computer. See Approving by Trusted Directory for details.

Tamper Protect

Status of agent tamper protection features (Enabled or Disabled).

Connection History tab

First Registered

Date and time this computer first registered with its server.

Last Polled

Date and time this agent last polled the Carbon Black App Control Server for updated information and provided updated file information to the server. Agents may poll every 30 seconds, or as seldom as every 10 minutes if the agent is in “sleep” state because the server has no new information about policy changes, approvals, etc.

Last Register Date

Date and time the agent last connected to the server.

Synchronization( %Synchronization in table)

Percent of file information synchronization between this agent and its Carbon Black App Control Server. Appears only after initialization is complete.

Initialization( % Initialization in table)

During initialization, shows the percent of initialization that is complete. Shows as “Complete” after initialization reaches 100%.

Server Backlog

The number of files received from this computer but not yet fully processed on the server. Backlogged files appear in the File Catalog but not in the Files on Computers tab or Find Files page.

Last logged in user(s)

User(s) logged in when the computer last connected to the Carbon Black App Control Server. If AD integration is enabled, click this field for more information about the user.

Policy Override tab

 

Allows generation of a code to temporarily change the Enforcement Level of a disconnected computer. See Using Timed Policy Overrides.

System Details tab

Computer Model

Model of this computer. Also identifies virtual machines.

Processor

Model, speed, and number of processors for this computer.

Installed Memory

Amount of memory installed on this computer.

Operating System/Operating System Details

Operating system version on this computer.

In the Computers table:

  • Operating System shows the basic OS (e.g., Windows 7)
  • Operating System Details includes the full name, the build and service pack level.

On the Computer Details page, the Operating System field shows full details.

Virtualized

Indicates whether the computer is a virtual machine, and if so, its platform. Possible values are: No, Yes (VMware), Yes (Unknown)

AD Details tab

 

Clicking this tab shows any additional computer details available through Active Directory. No information is added if AD integration is not enabled or the AD server is unavailable.

Carbon Black EDR tab

Sensor Version

( Carbon Black EDR Version in table)

The version of the Carbon Black EDR sensor installed on this computer.

Carbon Black EDR Status (in table)

Last Status

(on Details page)

 

This field shows the last Carbon Black EDR sensor status for this computer, as reported by the Carbon Black App Control Agent to the Carbon Black App Control Server. The Carbon Black App Control Server checks Carbon Black EDR sensor status every 30 minutes, and so status changes may be out of sync for up to that amount of time.

The possible values for Carbon Black EDR Status in the table are:

  • Unknown
  • Installed, initializing – sensor is installed but not fully initialized
  • Installed, running
  • Installed, not running
  • Not installed
  • Stopped

On the Details page, the Last Status field on the Carbon Black EDR tab is similar to Carbon Black EDR Status in the table. However, it does not appear if sensor status is Unknown. Values are:

  • Running
  • Service not running
  • Kernel not running
  • Stopped
Note:

  • In addition to up to a 30-minute gap between sensor installation and Carbon Black App Control polling of Carbon Black EDR sensor status, status will continue to report as Not installed until the Carbon Black EDR sensor connects to the Carbon Black EDR server and receives a sensor id.
  • Also, if the Carbon Black App Control Agent is offline or uninstalled from a computer, the last Carbon Black EDR sensor status reported by the agent is displayed in the console, even if sensor status changes.

Uptime

Number of minutes and hours that the Carbon Black EDR sensor has been running since it was last started.

Computer Status

The status of this computer reported by the Carbon Black EDR server.

Registration Time

The date and time the Carbon Black EDR sensor on this computer registered with its server.

Last Checkin

The date and time the Carbon Black EDR sensor on this computer last checked in with its server.

Next Checkin

The date and time of the next scheduled server checkin for the Carbon Black EDR sensor on this computer.

More Information

Connects to the login page of the Carbon Black EDR server configured on the System Configuration page Licensing tab. Logging in takes you to the Sensors page on the Carbon Black EDR console so you can view additional details about this computer.

You must have valid login credentials for the Carbon Black EDR server to successfully open its console.

 

Table 3. Computer Details page: Menu options
Menu/Options Description

Related Views menu

Recent Events

Opens the Events page and shows recent events (if any) for which this computer was the source.

Health Check Events

Opens the Events page and shows health check events for this computer. Use this information for troubleshooting an agent health check failure with Carbon Black Support. You can save the resulting events using the Export to CSV link on the events page.

Files on this Computer

Opens the Find Files page to list all tracked files on this computer.

Carbon Black EDR Details

Opens a new browser window or tab showing the login page of the Carbon Black EDR server configured on the System Configuration page Licensing tab. Logging in takes you to the Sensors page in Carbon Black EDR so you can view additional details about this computer. Link appears only if Carbon Black EDR server is configured.

You must have valid login credentials for the Carbon Black EDR server to successfully open its console.

Actions menu

Change Policy

The dropdown menu provides an alternate way to move the computer into another policy. One of the policies available on this menu is Local Approval, which you can use to temporarily place this computer in Local Approval mode.

Click the Go button to apply the change.

If this computer had its policy assigned automatically, Automatic shows next to the Go button and the menu is not active. You can un-check the Automatic checkbox to remove automatic assignment and then choose a policy from the menu.

Prioritize Updates/Remove Prioritization of Updates

Temporarily increases the priority of this computer for receiving upgrades to the agent and configuration lists from the App Control Server. A disconnected host can be prioritized while disconnected and the state will be respected when agent comes online next time.

Once a computer has been prioritized, this link changes to Remove prioritization of updates. You also can click Remove prioritization... to downgrade a prioritized computer immediately. Once it is up-to-date in all respects, an agent that had Prioritize Updates applied to it automatically returns to normal priority.

An agent may also be assigned permanent prioritization status. This is done automatically for computers hosting Trusted Directories. Permanent prioritization also may be assigned through a command on the Advanced/Other Actions menu.The Remove prioritization... command removes both permanent and one-time prioritization.

Request Agent Upgrade/Remove Agent Upgrade Request

Request Agent Upgrade schedules this agent for an immediate upgrade. Appears only if the agent is eligible for upgrade.

Remove Agent Upgrade Request removes the upgrade request and so the agent is not forced to upgrade. This appears only if you have previously scheduled an immediate upgrade request.

The options apply only to policies with automatic agent upgrades enabled (See Advanced Configuration Options).

Add files to Snapshot

Adds the list of files on this computer (as stored in the App Control Server database) to a snapshot of files. You can use a snapshot to determine how far each of the computers on your App Control Server network have drifted from a baseline of known files. Files in a snapshot can have a variety of statuses; if the snapshot contains banned files, they remain banned. See Managing Snapshots for more detail.

There are two options on this menu:

  • Choose existing snapshot – Adds the list of files on this computer to the snapshot you choose from a menu.
  • Create a new snapshot – Prompts for a new snapshot name and saves the file list of this computer to that snapshot.

Advanced menu

Convert to Template

Converts the current computer to an App Control computer template, after which clone computers created from the template’s image (using third-party virtualization/imaging solutions) can be better managed. See Managing Virtual Machines for more details.

Set Debug Level

Changes the amount of debugging information collected from the agent on this computer. For use with Carbon Black Support.

Configure Agent Dumps

Changes the amount of information included in file dumps from the agent on this computer. For use with Carbon Black Support.

Disable/Enable Tamper Protection

If agent tamper protection is enabled, clicking Disable Tamper Protection disables it. If protection is disabled, clicking Enable Tamper Protection enables it. Disabling tamper protection is not recommended unless required to solve a particular problem, and the feature should be re-enabled as soon as possible.

Other Actions submenu

Less frequently needed agent management features, often for use in conjunction with Carbon Black Support. The options are:

  • Reboot computer
  • Upload diagnostic files
  • Delete diagnostic files on computer
  • Restore database
  • Delete database
  • Restart service
  • Make local copy of agent cache
  • Rescan installed applications
  • Resend all policy rules
  • Resynchronize all file information
  • Upload statistics
  • Run health check
  • Permanently prioritize updates

Change Local State

This menu allows you to locally approve all unapproved files on the computer. You might choose to do this if you have added a large number of known-good files to a computer after initialization.

Perform Cache Consistency Check

A cache consistency check ensures that the agent on this computer has accurate information about the files actually present. It is necessary only if the agent was not running during a time when files were written to the computer. If the agent requires updating due to the consistency check, any differences are also sent to the server.

Changes in the file cache may affect whether or not a file is approved. You can choose one of three levels of cache consistency checking from the menu:

  • Quick Verification: Confirms that each file in the agent's cache exists, verifies that it is still an executable file that should be tracked, and compares the size of each file on disk to the size stored in its cache the last time the file was analyzed. If a file no longer exists, it is removed from the cache. If any of the other checks fail, the file is re-analyzed.
  • Rescan Known Files: Does everything in the Quick Verification, plus compares the hash of each file on disk to the same file’s hash in the agent cache. If the hash does not match, the file is re-analyzed.
  • Full Scan for New Files: Does everything in the previous two levels, plus rescans the entire disk, looking for files that should be in the agent cache, but are not. Analyzes any file found.

In addition to the menu options, there are three checkboxes that can modify the consistency check:

  • Preserve state of changed files: If the agent does not have a record of a hash in its cache, it will look up the file by name. If that is found, the file state from this record will be used for the current file.
  • Re-evaluate publishers: Re-examines each file to ensure that its certificate information is accurate and the certificate is not expired or revoked. Also reevaluates trusted publisher approvals.
  • Approve new files: Locally approve new files found during a full scan.

This consistency check is a troubleshooting feature normally used in consultation with Carbon Black Support. Depending upon the option you choose, a cache consistency check could be a time-consuming operation.