If you see a threat that requires remediation or further attention, there are many ways you can respond. A key step before taking action is to research the files, processes, users, and other information that is included in the report.
After you determine that a response is required, you can take actions outside of Carbon Black App Control, such as deleting instances of suspicious files or creating new firewall rules. Within Carbon Black App Control, you can check the box next to events reported in threat views and act on the files reported in the events using the commands on the Action menu, including:
- View Carbon Black Reputation Data – If you have enabled Carbon Black File Reputation, you can open the Carbon Black File Reputation site to view additional reputation information about a file (if available), including its first seen date and prevalence on agent-monitored computers.
- Send Suspicious Files for Analysis – If you have used the Carbon Black App Control Connector to integrate an external analysis appliance or service, you can sends files reported as threats for external analysis. Note that this option sends the target file noted in a threat event for analysis, not the process. See App Control Connector for more information.
- Ban Globally/Ban by Policy – You can ban a suspicious or malicious file directly from the Action menu in one of the threat views, and you can configure policies to terminate running processes for banned files. Bans should be used carefully because it is possible that a file reported in a threat report is used for both acceptable and unacceptable purposes. One way to determine this is to begin with a Report Only ban, an option available on the Ban by Policy page. See Approving and Banning Software for more information.
- Delete Files – In addition to banning suspicious or malicious files, you can delete them through the Carbon Black App Control console, either on one computer or everywhere they appear on an agent-managed computer. See Deleting Files for more information.
In addition to the choices on the Action menu, there can be situations in which creation of a different type of rule, such as a custom or registry rule, could mitigate the threat. These rules require that you enter their parameters manually. You can copy file, registry, or process information from events in the threat views and then configure the other rule parameters in the way you choose, being careful to restrict the rule to the actions you are certain you want to block or report on to avoid blocking critical files or processes. See Custom Software Rules Registry Rules and Memory Rules for more information about creating these rules.