We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

CB Defense User Guide

CB Defense User Guide

This document provides information for administrators and analysts who will operate CB Defense.


Please refer to the in-product User Guide for the most current CB Defense information. We will no longer deliver a .pdf User Guide.

To access the in-product guide, click Help and select User Guide. The guide is context-sensitive, opening to assistance for the current page in the product.


I asked a question, and I get a pdf thrown at me? Poor support.

Hi jbaker.fb​,

Were you referred to the User Guide from a case or another thread on this site? If so, could you please message me with the case # or a link to the thread in question, so I can look into this?

Thank you.


Alexey Popov | Technical Support Manager, Cb Defense

jbaker.fb​, I think I found your case in our system. Case # ending in 938 where a question was posed whether Cb Defense can/should be used alongside other AV solutions such as Microsoft Endpoint Protection. The Support Engineer responded with a reference to page 146 of Cb Defense User Guide, which describes how to set up Windows Security Center (WSC) integration referenced in Cb Defense Is Now A Microsoft-Certified Antivirus Provider and that was introduced in a recent sensor update (see Announcing the release of Cb Defense Sensor for Windows (version​).

If that is in fact your case, while it's common practice for Carbon Black Support to reference parts of User Guide that contain relevant information, the answer provided was perhaps not entirely complete. Here are some additional clarifications that should help address that.

  • Yes, although you don't have to (unless required by your organization), it's ok to run Cb Defense alongside other security software, including conventional AV products. You may need to set up certain bypass permissions in your policy settings within Cb Defense to do so successfully. Please see Cb Defense: How to Set up Exclusions for AV Products​.
  • If you wish to disable Window's built-in malware/virus protection without getting notifications about the system being unprotected, you can do so by using the WSC integration available in Cb Defense (mentioned above).
  • Besides this page, the latest version of Cb Defense User Guide can also be found within the product UI. Please see How to access Cb Defense User Guide after May 2017 Update​.

As a side note, I also noticed you may not yet be a member of you company's "secret group", which is required to open and track Support cases via UeX (this site). Please see Getting Started in Your Support Group for more information. If this observation is accurate, please mention it to the Support Engineer on the case and they will help you get added to the correct group. Alternatively, if you have other people from your company who are already members of the "secret group" group, they can invite you to it as well.

I hope this answers your question fully. If not or if you have follow-up questions, please let us know either by replying here or back in the case.

Thank you.


Alexey Popov | Technical Support Manager, Cb Defense

This is what I am looking to get answered.

I was my understanding that it was not best practice to run two different anti-virus solutions concurrently. Doing so could take up too much of the system’s resources, cause false positives, the two AV solutions aways competing with each other. Is this (or was this) the case? Is it best practice to have CB Defense as the sole AV solution on an end user's system? Or, is it perfectly fine to have CB Defense running side-by-side with another anti-virus software, like Microsoft Endpoint, ESEST, McAfee, and so on? Thank you.

John Baker | I.T. Specialist | Office: 802.473.5226 | Cell: 802.359.3050 | Fax: 802.473.5290 | jbaker@fairbanks.com<mailto:jbaker@fairbanks.com>

Fairbanks Scales Inc. | 2176 Portland Street, Suite 1 | St. Johnsbury, VT 05819

jbaker.fb​, thank you for clarifying the question. That makes sense.

Yes, the same general best practice applies to Cb Defense. There is less chance of running into issues such as conflicts or performance degradation if you choose not to run Cb Defense together with another AV solution. That said, there is no specific recommendation from our side not to do so either, especially since our customers are often required to run additional security products for compliance and other reasons specific to their particular organization.

We know from experience that Cb Defense can co-exist with many AV solutions. In some cases, however, to achieve that you may need to set up exclusions for the 3rd party AV application in Cb Defense or vice versa. More information on that can be found in the KB article linked in my previous reply.

If you experience issues running Cb Defense together with another AV application even after setting up exclusions, please open a Support case and our team will assist you in finding a way to get those working together.


Alexey Popov | Technical Support Manager, Cb Defense

Hi Jared,

Thanks for the explanation. I will follow the PDF instructions guide below.

To invite users to perform an attended installation via email invitation:

1.Log into the Cb Defense Management Console.

2.Click the Settings icon in the top-right corner.

3.Click Sensor Management.

4.Click Sensor Options and then click Add User(s).

5.Type in a comma-separated list of email addresses and then click Add.


Hao Can

Just a friendly heads up on mass deployment invitations based on personal experience...

  • Tell them in advance that you're sending the e-mail invitation or they'll dismiss it as spam or unimportant
  • Tell them in the advance e-mail which version to download (32 bit vs 64 bit)
    • Note that unlike most 32 bit software, the 32 bit variant of the sensor does NOT run on a 64 bit version of Windows (I learned the hard way); I've submitted a feature request for both to be packaged in an installer as most non-IT people have no idea what they're running
  • There is a known bug with the e-mail invitation feature whereby about 20% of end users who receive an e-mail invitation will receive a "Token Expired" error. Even re-sending the e-mail invitation sometimes doesn't resolve the error.

EDIT: I forgot to mention that you'll want to tell end users in the advance e-mail that they may need to MANUALLY type in the installation code. I've seen that most people double-click the installation code in the e-mail to highlight it for copying and pasting into the installer. I'm not entirely sure why but this approach often fails and the only remedy is to enter the code manually.

Good advice, cbd2020​! From what I have seen and heard reported, the most common issue with double-clicking the Installation Code to copy it, is that there will often be an extraneous space at the end, which causes the code to be invalid. I have heard a few customers tell their end-users to copy the code the same way, and then hit the backspace once after pasting the code into the installer UI, which has worked fairly reliably.

Alternately, they could forward the email (without actually forwarding it to anyone, just allowing them to copy/paste) copy the code and paste it to make sure no extra spaces are before or after it prior to pasting into the installer.

khristine​ Thank you very much for publishing this user guide!


The copy paste adds in an end space - they need to make sure it doesn't exist.


Description for the TTP PORTSCAN seems to be missing from the TTP reference page.

Issue found by lsass.exe port scan thread.



Thanks for noticing this, haro​! I am working on a case where I have noted a few other discrepancies in the TTP reference and those which can be selected for use in Notifications.

Thanks for bringing this to our attention. We'll update the User Guide and let you know when it's available.

Hi DB team,


Just a litle question about th CB defense sensor.

In the document it said that in order to communicate with the CBD Cloud, "A sensor can connect to a PSC backend server over TCP/443. The backend server also listens for sensors on port TCP/54443.".

I have to configure our Firewall with the exact url of CBD Cloud but dont found it anyway.

Could you please tel me what is the URL to allow clients to cummincated with the Cloud platform, please ?


Kind regards,



Hi @bsecure,


See the following Knowledge base article for the URLs information:

Cb Defense: API URLs




Hello, we see no Cb Defense User Guide in our org (bottom left console link missing), where can we download please? Note, this KB is not accurate for us:


No User Guide link in Console.PNG





Hello @aurele ,


The user guide has moved to the help dropdown, from the top right of the console. See the screenshot below:user guide.PNG

Hey @sdurney  thanks!  Unfortunately I do not have a User Guide download option:

Edit: I see they are no longer offering a .pdf download (Ugh).

Just a comment from a customer:  The Carbon Black user guides have always been amazing.  It really stinks that you have stopped updating this user guide in favor of the online-help.  Please reconsider this decision.

I've been a customer using Bit9 and Response for several years.  We recently switched to PSC and added CB Defense and I've been trying to get up to date on it.  I tried going through the online help, but it's just not sufficient.  I also tried going through the training academy courses, but I just want to strangle the comic characters. 

IMHO, the best way to learn about CB Defense is still this out-of-date guide.  I'm happy to jump on a call and talk to whoever needs to hear this.

@flakshack I agree.  Maybe VMware's recent acquisition of Carbon Black will convince them to provide that documentation again.  VMware is superb at documentation:





@flakshack  I agree I'm not too fond of the training academy course as much and I also liked the user guide in a PDF format much better than online. Hopefully all of these will be improved with the acquisition of VMware. 

Article Information
Creation Date: