Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Protection 8.1.4 User Guide

CB Protection 8.1.4 User Guide

This document provides information for administrators, incident responders, and others who will operate the CB Protection Console. It describes how to use CB Protection, including:

  • How to use the CB Protection Console
  • Server configuration
  • Agent installation
  • Computer and file management
  • Rule creation
  • Monitoring features

See the "Before you begin" chapter for a complete list of topics discussed in the document.

See the Comments below for changes in this version.

Labels (1)

Change log for the October 2019 CB Protection 8.1.4 User Guide (changes since the August version):


This update contains only one content change. In the "System Configuration" chapter, the "Activating CB Collective Defense Cloud" section now includes the following guidance about .NET version:

The Carbon Black Collective Defense Cloud (CDC) requires a TLS 1.2 connection from the CB Protection Server. If you intend to connect to the CDC, use of .NET 4.6 (or later) is recommended. Earlier versions of .NET will default to pre-TLS-1.2 protocols, and this will prevent a CDC connection unless you disable those older protocols. Disabling older TLS/SSL protocols may be a security issue for connections to other services from your CB Protection Server.


Change log for the August 2019 CB Protection 8.1.4 User Guide (changes since the May 2019 8.1.4 version):

Note: This is a documentation update only -- the product has not changed since the previous 8.1.4 edition of this manual.

In the "Managing Computers" chapter, the section "Uploading Agent Installers and Rules to the Server" has an added note specifying that you must upload each rule file and agent installer package to the server one at a time. Attempts to upload more than one of these at a time will cause the upload to fail. 

In the "Managing Computers" chapter, the section "Installing the Agent on a Mac Computer" now includes instructions for allowing the Mac agent kernel extension when installing or upgrading a Mac agent to a system running High Sierra or later. Also, information has been added about enabling the updater for Mac System Updates. These were formerly in the release notes.

In the "Managing Computers" chapter, the section "Upgrading CB Protection Agents" now includes instructions for manual upgrades of Linux and Mac agents. These were formerly in the release notes.

In the "Managing Computers" chapter, the section "Enabling Trusted Directory Approval of WIM Files" includes a new link for access to ImageX.exe for Windows 10 systems (and their server equivalents). For Windows 10, this file should be extracted via the Assessment and Deployment Kit (ADK). 

In the "Script Rules" chapter, the "Overview" includes a note describing the minimum file size for script identification and alternative means of managing files below that limit. 

In the "Custom Software Rules" chapter, the section "Additional Macros" now specifies that inserting other macros inside cmdline macros is not supported. 

In the "Custom Software Rules" chapter, the section "Additional Macros" has updates indicating that Cert-related macros may be used only in the Publisher fields for target and process. 

In the "Memory Rules" chapter, the section "Specifying the Rule Permissions" has a correction to the table showing the definition of Write Access. Due to an editing error, this had the wrong definition in some versions of the user guide.

In the "System Configuration" chapter, the section "Advanced Configuration Options" now specifies that a change to the CB Protection Agent: Resource Download Location requires a server restart to take effect. 

Other minor improvements and editorial changes were made in this version.


Change log for the May 2019 CB Protection 8.1.4 user guide (changes since latest 8.1.0 version):

Several locations in the user guide were updated to reflect the separation of agent package distribution from server installation. See the Release Notes for a summary of this change and "Uploading Agent Installers and Rules to the Server" in the "Managing Computers" chapter for a detailed description.

In the "Creating and Configuring Policies" chapter, the description of "Medium (Prompt Unapproved)" enforcement level in Table 22 was changed. This description previously said that unapproved files run remotely from a network share or removable device and allowed by the user remained temporarily approved for 3 days. This temporary local approval actually persists for 14 days. This value was also corrected in the "Endpoint Notifiers and Approval Requests" chapter.

In the "File, Publisher, and Application Information" chapter, the section "Excluding Tracking of Microsoft Support Files" was updated to indicate that you can now exclude tracking of these files at either the agent or server.

In the "Approving and Banning Software" chapter, the "Approving by Trusted Directory" section was updated to clarify that on the Trusted Directories tab of the Software Rules page, the progress number indicates the number of "crawl jobs" processed, which is not the number of files. See that section for more information.

Due to an editing error, several changes made in previous releases were dropped from the 8.1.0 user guide. The following changes have been restored:

  • In the "Managing Virtual Machines" chapter, restored the note that indicates that disabling tamper protection is no longer necessary when you use sysprep to prepare a template. Also removed procedural steps that indicated tamper protection should be disabled.
  • In the "Approving and Banning Software" chapter, the section "Using Timed Policy Overrides" was updated to indicate the machine reboots or agent restarts do not cancel the timed override. This had been correctly documented in previous releases but was missing from the 8.1.0 user guide.
  • In the "Approving and Banning Software" chapter, restored warnings about the user of trusted users and groups.
  • In the "CB Protection API" chapter, restored the correct URLs for access to developer documentation and examples for the API.

In the "Custom Software Rules" chapter, the description of wildcard use in macros was updated to reflect the addition of some macros that can use wildcards, with some syntax restrictions.

In the "System Configuration" chapter, added a clarification in the "Activating CB Response Integration" section to indicate that the URL of the CB Response server requires a port only if you do not use standard ports on the CB Response server (80 for HTTP, 443 for HTTPS).

In the "System Configuration" chapter, a new section, "Activating CB Predictive Security Cloud Integration" has been added to describe how to integrate CB Protection with the Predictive Security Cloud (PSC).

Other corrections and improvements were made throughout the document.

Article Information
Creation Date: