NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - VMware Carbon Black App Control v8.8.2

Certificate Date:  2022.03.03

Validation Report Number:  CCEVS-VR-VID11158-2022

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management-Access Control Version 2.1
  Protection Profile for Enterprise Security Management - Policy Management Version 2.1

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

Maintenance Release:
CC Certificate [PDF] Security Target [PDF] * Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

* This is the Security Target (ST) associated with the latest Maintenance Release.  To view previous STs for this TOE, click here.

Product Description

VMware Carbon Black App Control v8.8.2 is an Enterprise Security Management (ESM) product that provides host-based access control, meaning it controls client user access to objects including files, processes, and system configuration settings on an endpoint system based on an enterprise-level access control policy. The TOE includes a policy management component that is used to configure the access control policies and an agent component which will enforce its policy to allow or prevent client users from performing read, modify, delete, execute, and other operations on objects.

Evaluated Configuration

The TOE is the VMware Carbon Black App Control v8.8.2. The physical boundary of the TOE includes the following App Control Server software and Agent software components:

·       The App Control Server and App Control Console are software version 8.8.2.

·       The App Control Agent for Windows operating systems is software version 8.7.2.

·       The App Control Agent for Linux operating systems is software version 8.7.6.

The TOE does not include the hardware or operating systems of the systems on which it is installed. It also does not include the third-party software that is required for the TOE to run.

The following lists components and applications in the environment that the TOE relies upon in order to function properly:

  • Active Directory (AD): This is an enterprise authentication server. In the evaluated configuration, TOE administrative users can be authenticated against an AD user account. AD is also used for client user identity data on endpoint systems. For endpoint systems running Linux a LDAP client is used to map local system account information to network accounts defined in AD (since it is not natively supported on the Linux platforms)
    • Examples of this include realmd or SSSD.
    • The TOE’s Agent has no awareness of how the user is authenticated by the environment, it just knows the user’s claimed identity on the system (e.g., username, UID)
  • Endpoint System(s): Any general-purpose computer that has the TOE Agent software installed and that supports TLS/HTTPS communications. Supported operating systems for the evaluation include Windows and Linux. These operating systems provide all cryptography for the TOE Agents to communicate with the TOE’s App Control Server. Users of the endpoint systems are considered ‘client users’. ‘Client users’ are users that are considered the subjects to which the access control policies are applied and are not considered TOE users. Refer to Section 2.4.1 for these machines’ specifications.
  • Management Workstation: Any general-purpose computer that is used by an administrative user to remotely manage the TOE via the Console. The management workstation requires a web browser which supports HTTPS (Google Chrome 36 or higher supported, recommend latest version) to access the Console.
  • SQL Server Database: The TOE requires a pre-installed instance of Microsoft SQL Server (2012 or higher supported, recommend latest version) on the same machine where App Control Server is installed. Microsoft SQL Server must be configured to use AES-256 encryption method. All TOE configuration data, audit data, and local user data is stored in the database.
  • Windows Server: A Windows Server that has the TOE App Control Server and App Control Console software installed. The SQL Server Database is also installed on this machine. The Windows Server supports TLS/HTTPS communications. The Windows operating system installed on this machine provides all cryptography required by the TOE’s App Control Server and App Control Console components. Refer to Section 2.4.1 for this machine’s specifications.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Carbon Black App Control v8.8.2 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Carbon Black App Control v8.8.2 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11158-2022 prepared by CCEVS.

Environmental Strengths

Enterprise Security Management

The TOE provides the ability to define access control policies for consumption by Agents for enforcement. The TOE maintains security attributes that belong to an individual object as well as individual subjects. Through the TOE’s Console interface, administrative users create policies and configuration lists of rules which define whether or not a subject is allowed or denied the ability to perform an operation on an object based upon the attributes defined within the rule applied to the authorization request. The Server is responsible for deploying the new policies and configuration lists to the Agents for enforcement. The Agents will immediately enforce any new policies and configuration lists it receives.

The Agents rely on their underlying operating system and its communication with an Active Directory for the identification of client user subjects and the operating system for the identification of process subjects. The Console requires identification and authentication of the TOE’s administrative user which is accomplished via a local username/password mechanism or the AD server.

Security Audit

The Agent generates records of auditable events and either transmits the audit events to the Server over TLS provided by the TOE’s underlying operating systems or stores the audit events in local audit logs. The Server generates audit records and stores them in local audit logs or an SQL Server Database that resides on the Server’s host platform. Additionally, the Server will store all audit events received from the Agent in the SQL Server Database. The ability to select the set of events to be audited can be configured by administrative users defining rules that require or do not require audit events to be generated. Generated audit data is stored in a manner that prevents unauthorized modification or deletion.


The TOE provides a mechanism that requires the Agent to send a proof of receipt to the Server upon receiving a policy or configuration list. This receipt contains information that relates to the hostname of the Agent’s endpoint server and the policy name or configuration list version that was received. This feedback is then verified by the Server.

User Data Protection

The Agent enforces the access control policy received from the Server and the rules applicable to its policy from the configuration lists received from the Server. The TOE’s access control Security Function Policy (SFP) defines whether or not a subject is allowed or denied the ability to perform an operation on an object based upon the attributes defined within the rule applied against the authorization request. Each Agent will process rules assigned to their policy in a hierarchical manner, ensuring the lowest numbered rule (i.e. highest ranked hierarchically) is always enforced. By default, the TOE also enforces a self-protection SFP on its Agent’s binaries and configuration data.

Identification and Authentication

The TOE requires each administrative user to be successfully identified before allowing any TSF-mediated actions on behalf of that subject. The TOE binds administrative users to their assigned role for restrictive security management enforcement.

Security Management

The TOE’s Server maintains the administrative user roles: Read-Only, Power User, Admin, and custom role. Each of these roles has varying levels of privileges which determine what management functions the administrative users are able to perform via the TOE’s Console interface which is a web based GUI. Administrative users are able to manage the TOE’s own security functions, administrative users, audit events, and the Access Control SFP to include modifying its default configuration.

The TOE has only a single role when the Server is managing one of its Agents called administrator. The Server assumes this role every time an Agent polls the Server and during this connection the Server will send policy and configuration list updates.

Protection of the TSF

The TOE preserves a secure state when an Agent is terminated by immediately restarting the Agent. Agents will maintain policy enforcement by enforcing the last policy received when it is unable to communicate with the Server and can be configured to enforce a different Enforcement Level when this occurs. The Agent relies on its operating system’s implementation of TLS to discard traffic in case a replay is detected. The client users’ and administrative users’ credentials which are needed for TOE operation are stored hashed and encrypted. The TOE also prevents the reading of symmetric keys.

Resource Utilization

In the event of a communication outage between the TOE’s Agent and Server, the Agent will enforce the last known policy and configuration list it consumed. Once communications are restored, the Agent will immediately query the Server for the most up-to-date policy and configuration list data, and immediately enforce them.

TOE Access

The TOE displays a customizable warning banner on the Console login page. The TOE will terminate inactive sessions to the Console after an administratively configured amount of time and allows administrative users to terminate their own Console sessions. The TOE also allows the creation of rules which will allow or deny client users the ability to login to endpoint systems.

Trusted Path/Channels

The TOE’s evaluated configuration enforces secure communication using TLS and HTTPS from the Agent to the Server, the Server to Active Directory, and administrative users via web browser to Console. The TLS and HTTPS protocols are implemented by the underlying TOE components’ operating systems.

Vendor Information

VMware, Inc.
Tim Smith
Site Map              Contact Us              Home