Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: Best Practices for Deploying Local Scanner

Cb Defense: Best Practices for Deploying Local Scanner

Environment

Cb Defense Sensor: Version 2.0 and above

Microsoft Windows: All Supported Versions

This document does not apply to Cb Defense Mac Sensors (any version).

Objective

Cb Defense Windows sensor version 2.0.1.x+ introduces a new Local Scan functionality. The Local Scan component uses an AV Signature Pack that needs to be downloaded in addition to the sensor itself. See Cb Defense: How to Download the AV Signature Pack and Configure Updates for Local Scan and Cb Defense: How To Configure Local AV Scan for additional information. Deploying a large number of 2.0.1.x+ sensors at once may strain your network. This document contains several best practice recommendations to avoid that.

If you do not wish to use the Local Scan functionality, on the Policy page, disable both of the following options:
  • "On-Access File Scan Mode"
  • "Allow Signature Updates"

Resolution

Recommendation 1: Perform initial installation of AV Signature Pack along with Windows Sensor version 2.0.1.x+

    1. Before installing new sensors or updating older sensors to Windows Sensor versions 2.0.1.x+, create or edit the policy the sensors will be placed in; Configure "Allow Signature Updates" to be Disabled in that policy.
      disabled.PNG
    2. Manually download the AV Signature pack (see https://community.carbonblack.com/docs/DOC-5786#jive_content_id_Manual_Download__Installation)
    3. Deploy it along with the Windows Sensor versions 2.0.1.x+ using the unattended installation method (See: How to do an unattended Windows install of Confer sensor).
      • Be sure to include the following command option in order to place the sensors into the policy that has AV Signature Updates Disabled (configured in step 1):

GROUP_NAME={policyname}

      • ...where {policyname} is the name of the Policy that has signature updates disabled.  This must be enclosed with double quotes if the policy name includes spaces.
      • To install AV signature pack silently use the following command:

CbDefenseSig-YYYYMMDD.exe /silent

      • Wait at least 10 seconds after installing the sensor prior to running the signature pack installer.
      • Once the new sensors and AV signature pack are deployed, return to the policy page, select the given policy, and change "Allow Signature Updates" to Enabled.enabled.PNG
  • After you enable "Allow Signature Updates" and save the changes to the selected policy, sensors in that policy will begin to download the AV signature pack from Carbon Black servers within the the next 5-60 minutes.
  • Subsequent updates following the initial install of AV signature pack are differential, i.e. only contain the delta of changes between the currently installed AV signature pack version and the newer version being downloaded. Thus, regular update schedule ensures that the size of download remains small every time an update is installed.

Recommendation 2: Mirror signature updates on a local server

        1. Before installing new sensors or updating older sensors to Windows Sensor versions 2.0.1.x+, create or edit the policy the sensors will be placed in; Configure "Allow Signature Updates" to be Disabled in that policy.
        2. Follow these steps to mirror the AV signature updates on a local Windows or Linux server: Cb Defense: How To Set Up A Local Mirror for AV Signature Updates
          mirrors.PNG
        3. Deploy new or update existing Windows sensors in your environment to version 2.0.1.x+ making sure they are placed in the right policy (see Step 3 of Recommendation 1 above).
        4. Return to the policy page, select the given policy, and change "Allow Signature Updates" to Enabled.
    After you enable "Allow Signature Updates" and save the changes to the selected policy, sensors in that policy will begin to download the AV signature pack from your local server within the the next 5-60 minutes.

    Recommendation 3: Deploy sensors in smaller batches

          1. Deploy sensors in small batches (for example, 10-20 sensors at a time).
          2. Wait an hour, and deploy another small batch of sensors.
          3. Continue to repeat steps 1-2 until your deployment is complete.

    Additional Note(s)

    You can mix and match the recommendations provided in this document, but we recommend that you follow all three when deploying Windows Sensor versions 2.0.1.x+ in your environment.

    Related Content

    Cb Defense: How To Configure Local AV Scan

    Cb Defense: How to Download the AV Signature Pack and Configure Updates for Local Scan

    Cb Defense: How To Set Up A Local Mirror for AV Signature Updates

    Cb Defense: Verify the Latest Local Scanner Signature Version

    Was this article helpful? Yes No
    100% helpful (1/1)
    Article Information
    Author:
    Creation Date:
    ‎12-15-2016
    Views:
    7845
    Contributors