Installation and Initialization

For each security policy you create, an agent installer is created for each supported platform (Windows, macOS, or Linux) for which an initial installer package has been uploaded to the server. Each agent installer includes the policy assigned to the computer and the Carbon Black App Control server address

If you do not use AD-based policy assignment, you choose the agent installer for each endpoint based on the endpoint’s platform and the policy that you want to control that endpoint.

Setting up your server so that it can create installers is described in Uploading Agent Installers and Rules to the Server. Installation of agents on endpoints is described in:

Tip: It is a best practice to install agent software into a Disabled Mode policy. Such a policy is configured to be in Disabled Enforcement mode. In such a scenario, the agent only initializes when moved into any policy that is not configured for Disabled Enforcement.

File initialization begins in either of the following cases:

As soon as the agent software is installed into a visibility-mode or control-mode policy.
If the agent is moved from a disabled-mode policy to a visibility-mode or control-mode policy.

The agent takes an inventory of all “interesting files” (executables and defined scripts) on the client computer’s fixed drives (but not removable drives) and creates a hash of each file. When an endpoint first connects to the server, its agent sends these hashes to the Carbon Black App Control server to update the server’s file inventory.

Note: Virtual machines cloned from template computers can be configured to include or omit their initial (cloned) files in their inventory. See "Configuring Clone Inventory" in the Carbon Black App Control User Guide for more details.

Carbon Black App Control assigns files both a local and a global file state. Files that exist on an endpoint at initialization receive a local state of Approved unless they have previously been identified and globally banned or banned by policy on the Carbon Black App Control server.

Unless pre-banned or pre-approved by an Carbon Black App Control rule, files that the Carbon Black App Control server has never seen before will get the global state of Unapproved and be added to the catalog. If a file was first seen on this agent after initialization, it will also get the local state of Unapproved on the agent. For more information on file state, see "File State, Approving and Banning" in the Carbon Black App Control User Guide.

During initialization, the computer is protected by whatever security policy is assigned to it, and file activities are allowed or blocked according to that policy.