This section describes settings that enable you to configure and maintain your Carbon Black App Control Server installation. Access to the System Configuration page is available only to login accounts in the Administrators group or in customized groups with View System Configuration and Manage System Configuration check boxes selected.
Carbon Black App Control uses SSL security for communication between its server and its agents.
This section describes certificates and certificate details.
This is your guide to day-to-day administration and security monitoring tasks: monitoring executable files on your network using App Control; configuring the App Control Server; managing computers running the App Control Agent; and managing App Control Console users.
This section covers the basics of using the Carbon Black App Control Console: how to log in and out, how to navigate in the user interface from the Home page and menu system, and how to view the information Carbon Black App Control makes available to you through tables, details pages, and dashboards.
This section describes how to create and manage login accounts for the Carbon Black App Control Console. It also describes how to define user roles that grant access to specified features, and in some cases limit this access by policy.
This section describes the steps necessary to install Carbon Black App Control agents on computers. It also describes how to upgrade or uninstall agents, view the details agents provide to the Carbon Black App Control Console and manage operating system updates on agent-managed systems.
This section explains how to create policies and change their settings, including Enforcement Levels.
This section explains how Carbon Black App Control efficiently manages virtual machines, called clones in the console, and the template computers on which they are based.
This section describes the location and contents of file information in Carbon Black App Control. It also includes:
This section describes how to approve or ban software using Carbon Black App Control. It includes information about both global and local file approval.
This section describes how to use the Carbon Black App Control Console to delete files on Windows endpoints.
This section describes reputation approval rules, which can be used to automatically approve files based on the file and publisher trust ratings that Carbon Black File Reputation provides.
This section describes advanced features for using file-signing certificates in Carbon Black App Control file monitoring and enforcement activities.
This section describes features for tracking and control of storage devices detected on computers running the Carbon Black App Control Agent.
Custom rules define actions you want the agent to take in response to file, directory, or process activity that matches conditions you specify. They may be used to optimize performance, protect file integrity, create a trusted file path for software distribution, or meet other special needs
Memory Rules let you protect a process from being accessed or altered by other processes or users.
This chapter describes Registry rules, which control what happens when there is an attempt to make changes in the Windows Registry at locations that match paths you specify. If you choose, you can limit enforcement of the rules to specified users and/or processes.
This chapter describes Script rules, which identify files to be tracked and managed as scripts by Carbon Black App Control. The Carbon Black App Control Server includes built-in script rules, and you can create custom rules to identify other scripts.
Carbon Black App Control provides content-based inspection by using YARA rules, which enables more granular control of the security policy in your environment. YARA rules are descriptions of malware samples that can help you detect and classify malware in files. In a rule, the criteria for the rule is defined and tags are specified. When the rule is enabled, tags are assigned to files that meet the criteria for the rule.
Expert rules are Custom, Memory, and Registry rules created with a special interface that provides many more options than the standard interface for these rules. They are intended for expert users working with Carbon Black Support or Technical Services.
This chapter describes Rapid Configs, which are sets of rules that can be used to accomplish tasks such as application optimization, operating system and application hardening, and approval of files delivered by software distribution systems.
There are Event rules, which allow you to specify an action to be performed when an event matches filters you define.
This chapter describes the Carbon Black App Control features that involve interactions with endpoint users.
This section explains how to use Carbon Black App Control event reports and alerts to monitor file activity and other key operations on your network. It also describes tools for detecting propagation of files on your network and for keeping track of the number of times a specified file executes.
This section describes how to use Baseline Drift Reports, which allow you to track changes in the inventory of files on systems running the Carbon Black App Control Agent.
This section describes how you enable and use Carbon Black App Control’s Advanced Threat Indicators, and how you can monitor threats through events, file details, and alerts.
Carbon Black App Control Dashboards are configurable pages containing compact windows called portlets, each of which provides access to Carbon Black App Control-related information or controls.
This section describes how to use the Find Files page to locate or verify the existence of specific executable files on computers running the Carbon Black App Control Agent. Find Files locates instances of files, not their listings in the File Catalog.
The General tab of the System Configuration page has three sets of configuration fields.
Carbon Black App Control event data is stored in a SQL Server database, and expands at a rate that corresponds to file activity on your network. The Events tab provides two sets of options for managing events data generated byCarbon Black App Control .
The top panel of the Agent Server Communications configuration page shows the security status of agent-server communications.
The Current Server Certificate Details panel shows the standard details of a security certificate. If the certificate is self-signed, you can edit the details and regenerate the certificate.
This topic lists certificate details for communications between the Carbon Black App Control Agent and Carbon Black App Control Server.
The way in which the agent verifies that the server name matches the certificate depends on the server information that the server certificate provides.
You can import a new SSL certificate. Keep the following in mind when planning to import a certificate.
Enabling certificate verification instructs all Carbon Black App Control Agents to verify the authenticity of the Carbon Black App Control Server certificate against a Certificate Authority or their Root certificates. This verification adds a level of security to communications because communications between agent and server cannot be spoofed.
Trusted Communication Certificates are certificates that you designate to be automatically trusted by the agents.
Client registration codes are used when you register agents with the server during installation. They prevent other programs from impersonating Carbon Black App Control agents.
The communication key is maintained by the Carbon Black App Control Server and used to encrypt communications with the agent when the secure communication certificate between them becomes invalid. An alert is given five days before the communication key is regenerated. You can view the scheduled date of the next rotation and regenerate the communication key or reschedule the next rotation.
The Advanced Options tab on the System Configuration page includes options related to database backup, computer and agent management, certificate and updater rules, general console management, and settings for optional features.
If your SQL Server administrator has a standard backup plan and mechanism, Carbon Black recommends that you use that mechanism to backup your Carbon Black App Control database. If you do not use a separate database backup mechanism, Carbon Black App Control Server provides a mechanism to fully back up and restore the system as currently configured, including computer configuration, system settings, file database, and event log.
You can restore the Carbon Black App Control Server to its most recent state. Carbon Black App Control database and settings restoration is a manual procedure that requires reinstalling the Carbon Black App Control Server.
Some Carbon Black App Control features require configuration of a mail server so that messages can be sent to administrators or endpoint users.
The Licensing panel of the System Configuration page lets you manage Carbon Black App Control licenses and to activate, deactivate, and configure Carbon Black File Reputation.
Carbon Black File Reputation is a web service that provides features to enhance the value of the Carbon Black App Control Server.
This topic refers you to another section in this guide.
If you have multiple Carbon Black App Control servers, you can centralize the management of those servers. Unified Management allows you to specify that one server can control many common management functions for any connected Carbon Black App Control servers.
This section introduces the System Health page, which provides Carbon Black App Control administrators with the ability to monitor the health and performance of the Carbon Black App Control Server.
In addition to the access provided to the Live Inventory of files and computers through the console, Carbon Black App Control provides public views into the database. You can create your own reporting and data analysis solutions through the use of these public views.
The Carbon Black App Control API is intended for programmers who want to write code to interact with Carbon Black App Control, either using custom scripts or from other applications. It is a RESTful API that can be consumed over HTTPS protocol using any language that can create get URI requests and post/put JSON requests as well as interpret JSON responses.
This section provides instructions for configuring and using the Connector, which integrates the Carbon Black App Control Server with one or more network security devices or services.
The DasCLI.exe program, referred to as DASCLI, is an executable which provides Command Line Interface (CLI) access to the Carbon Black App Control Windows Agent. Messages are transmitted between DASCLI and the Agent.
The Carbon Black App Control Console includes a page that displays certain diagnostic files for the Carbon Black App Control Server and its agents. These files can be useful when you are investigating issues in your Carbon Black App Control environment with the assistance of Carbon Black Support.
This topic describes uploading files from agents.
This section provides instructions for configuring and using Carbon Black App Control External Analytics, which enables the Carbon Black App Control Server to export data it collects from endpoints to external analysis tools.
