How to remediate – VMware Carbon Black App Control Web Console Detection

Contents

1. Introduction

VMware Carbon Black App Control Web Console Detection means the administration interface for this endpoint protection product has been found on a system. This is usually expected on systems where an administrator actively manages security policies, but unexpected instances could indicate unauthorised software or misconfiguration. A successful compromise of the web console could allow attackers to modify application control rules and disable protections, impacting confidentiality, integrity, and availability.

2. Technical Explanation

The detection indicates that the Carbon Black App Control (formerly Cb Protection and Bit9 Parity) web console is present on a host. This doesn’t represent an active exploit but highlights a potential management point for attackers. An attacker gaining access to the web console could alter policies, allowing malicious software to run or disabling security features. There are no known CVEs associated with simply detecting the presence of the console.

Root cause: The Carbon Black App Control Web Console is installed and accessible on the network.
Exploit mechanism: An attacker would need to gain access to the web console, typically through stolen credentials or a vulnerability in the console itself. They could then modify policies to allow malicious software execution.
Scope: Affected platforms are those running the Carbon Black App Control agent and associated web console components, including Windows, macOS, and Linux systems managed by the product.

3. Detection and Assessment

Confirming the presence of the web console can be done through several methods. A quick check involves looking for the service running on standard ports. A thorough method is to examine the installed applications list.

Quick checks: Check if port 80 or 443 is open and serving a Carbon Black App Control login page using a web browser.
Scanning: Nessus plugin ID 162795 can identify VMware Carbon Black App Control installations, but results should be verified.
Logs and evidence: Examine application installation logs for entries related to “Carbon Black”, “Cb Protection” or “Bit9 Parity”. Look in the Windows Event Logs under Application and Services Logs > VMware > Carbon Black > System.

netstat -an | findstr 80,443

4. Solution / Remediation Steps

The following steps outline how to verify the legitimacy of the web console installation and take action if it is unauthorised. These steps assume a standard Windows environment. Adjust as needed for other operating systems.

4.1 Preparation

Ensure you have administrator credentials for the Carbon Black App Control console. A roll back plan involves restoring the backed-up policies and restarting the service.
A standard change window may be required, depending on your organisation’s policies. Approval from a security team lead might be necessary.

4.2 Implementation

Step 1: Log in to the Carbon Black App Control console using administrator credentials.
Step 2: Review the installed applications and active policies to confirm their legitimacy.
Step 3: If the installation is unauthorised, uninstall the Carbon Black App Control agent and web console components from the affected system. Use the standard Windows “Add or Remove Programs” feature.
Step 4: Scan the system with an up-to-date anti-malware solution to ensure no malicious software was installed alongside the Carbon Black installation.

4.3 Config or Code Example

Before

(Example: Unauthorised application allowed by policy)
Policy Name: AllowList
Rule: Application = "SuspiciousProgram.exe" Action = "Allow"

After

(Example: Remove the unauthorised application from the allowlist)
Policy Name: AllowList
Rule: Application != "SuspiciousProgram.exe"

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue. Least privilege is important to limit the impact of a compromised console. Regular application whitelisting and patch management are also key.

Practice 1: Implement least privilege access controls for all administrative accounts, including those used to manage Carbon Black App Control.
Practice 2: Regularly review and update application control policies to ensure only authorised software is allowed to run.

4.5 Automation (Optional)

If using a configuration management tool like Ansible, you can automate the uninstallation of the Carbon Black agent. This example requires appropriate credentials and permissions.

---
- hosts: all
  tasks:
    - name: Uninstall Carbon Black App Control
      win_package:
        name: "VMware Carbon Black App Control"
        state: absent

5. Verification / Validation

Confirm the fix by verifying that the web console is no longer accessible and that the agent has been uninstalled. A smoke test should confirm basic system functionality.

Post-fix check: Attempt to access the Carbon Black App Control login page in a web browser. Expect a “connection refused” or similar error message.
Re-test: Run the `netstat` command from step 3 of Detection and Assessment. The relevant ports should no longer be listening.
Smoke test: Verify that basic system functions like file sharing, printing, and network connectivity still work as expected.
Monitoring: Monitor application installation logs for any unexpected entries related to Carbon Black App Control.

netstat -an | findstr 80,443 (should return no results)

6. Preventive Measures and Monitoring

To prevent recurrence, update security baselines and implement checks in your deployment pipeline. A regular patch cycle is also essential.

Baselines: Update a security baseline or policy to include a check for unauthorised Carbon Black App Control installations.
Pipelines: Add a scan in CI/CD pipelines to detect any unexpected software installations, including Carbon Black components.
Asset and patch process: Implement a regular patch cycle for all endpoint protection products, including Carbon Black App Control.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Removing the agent could leave systems unprotected if it was actively managing security rules.
Risk or side effect 2: Uninstalling may require a system reboot.
Roll back: Restore the backed-up Carbon Black App Control policies and restart the “VMware Carbon Black App Control Service”. Reinstall the agent if necessary, following vendor documentation.

8. References and Resources

Vendor advisory or bulletin: https://www.carbonblack.com/products/app-control/
NVD or CVE entry: Not applicable, as this is a detection issue not a specific vulnerability.
Product or platform documentation relevant to the fix: https://docs.vmware.com/en/Carbon-Black-App-Control/index.html

Updated on October 26, 2025

Was this article helpful?

Yes No