Software approval ensures that users of computers running the Carbon Black App Control Agent can install and run known-good applications regardless of the Carbon Black App Control security settings and Enforcement Level in effect.
Carbon Black App Control supports several complementary methods for approving software on computers. Based on the methods you select, installation of approved software can be permitted on all computers, on computers in selected policies, or on individually selected computers.
You can select the combination of methods that best conforms to your established settings and procedures, especially the software distribution process in place at your site:
- Pre-approve applications to run on all computers (or all computers in selected policies), designate trusted directories, approve specified publishers to allow installation of their applications, or enable certain updaters to update applications automatically.
- Pre-approve low-threat applications to run on all computers (or all computers in selected policies), enable reputation rules based on the trust level reported by Carbon Black File Reputation for specific files and publishers.
- When you discover an individual file or installer that you want to allow to run on all computers or all computers in selected policies, create a File Approval rule.
- When you have a list of hashes for files you want to approve, you can create approvals for the entire list in a single operation.
- When you need to approve software for installation on selected individual computers, either designate trusted users (or groups) to perform installations, or choose a local approval method.
- When you have a special need for a rule to allow installation or execution of files in particular locations, or by particular users or processes, create a Custom Rule.
At all Enforcement Levels except for High, users can install unapproved software. Although not required, Carbon Black recommends approving (or at least Acknowledging) widely used software even if you plan to run at Low Enforcement Level. Approval reduces the number of files with the unapproved status, which can enable you to focus on files that are of potential concern. For example, approving known-good files generally reduces the size and increases the readability of Baseline Drift reports.
Similarly, computers operating in Visibility mode can run any software, regardless of its approval state. Even if you are running all your computers in Visibility mode, you might want to approve known-good files to reduce the amount of event data collected about those files. This also helps prepare you for possible transition of some or all computers into High or Medium Enforcement Level in the future.
Based on your internal standards and procedures, and on the required scope of the approval (network-wide or computer-specific), you can choose to approve files in any of the ways shown in File Approval Methods.