How do Reputation Approvals work in App Control?

• App Control Server: All Supported Versions
• App Control Agents: All Supported Versions

Carbon Black File Reputation provides a cloud-based database of known files. It pulls file data from a combination of distribution partners, Web crawlers, honeypots, and the VMware Carbon Black user community. For files in the database, Carbon Black File Reputation reputation data provides context information such as who published the file and what product (if any) with which it is associated . It also screens software using multiple anti-malware tools, and cross-references it against third-party vulnerability databases.

Using the information it has about a file, the Carbon Black File Reputation assigns a threat level and a trust rating. It also assigns a trust rating to publishers. A publisher’s trust rating is based on factors including aggregate experience with files from that publisher and the publisher’s general reputation.

• More information can be found in the user guide section titled "Reputation Approval Rules"
• Only files whose certificates meet all requirements described in Approving or Banning by Publisher can be approved by publisher reputation.
• File reputation rules are not listed on the App Control Server, but it's possible to view a list of files approved by reputation. See “Views Related to Reputation Approvals” section in the App Control User Guide.
• File reputation rules are found in Rules > Software Rules > Reputation
• File reputation approval can be enabled per publisher
• Unlike other approvals, file reputation approvals are not pushed to endpoints automatically. There are three conditions that cause a reputation-based file approval to be sent to endpoints on which reputation approval is enabled:
  • If the App Control Server has a record of a file being blocked on any endpoint and that file is later approved by reputation, the server begins sending the approvals of the file to agents immediately.
  • If a user attempts to execute an instance of a reputation-approved file on a computer connected to the App Control Server, and if the server detects that the file satisfies the reputation trust threshold, the server will allow the agent to run the file immediately, and also will begin sending the approval to other agents.
  • If the reputation-approved file is identified as an installer, the App Control Server begins sending the approval of the file to agents immediately. Even if a file is approved by reputation and not blocked by another rule, until its approval is sent to agents because of one of the cases above, instances of the file may be locally unapproved and may block if the agent computer is disconnected from the server before the approval is distributed.