Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud sensor: Linux sensor support

Carbon Black Cloud sensor: Linux sensor support


Attention:

Support information for each Carbon Black Cloud Sensor has moved to VMware Docs. This UEX page will no longer be updated.

Each sensor is a distinct OER on VMware Docs and the links are provided below:


 

 

Comments

Hi

 

For Amazon Linux 2 and Ubuntu* distributions, any reason that CB Defense listed as '2.2.0' and not '2.2.0 - 2.4.0' ?

 

@haro Thanks for pointing this out. It has been updated. 

Hi,

 

By 'CB Defense (Live Response only)'  do you mean that we won't be able to apply prevention policies, for example to terminate known malware, and we wont see events for Linux machines under Investigate page?

 

That's correct @gszajwaj - the Linux Sensors currently do not enforce an policy actions, and you will not see any events, as we are not tracking them. It is purely so actions can be taken via Live Response.

Here's a KB Article on this point...
CB Defense: Can the Linux Sensor be assigned to a policy?
https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-Can-the-Linux-Sensor-be-assigned-to-a...

I hope that helps clarify this for you.

~David

I'm running PSC sensor and my environment has only ThreatHunter, enabled.

I'm still not able to download Linux sensors, just Windows. Any clue on the date it will became available?

 

Best,

Jefferson

Any future support for Oracle Enterprise Linux?

@pipesbi We are actively working on Oracle Linux support.

A couple things to mention here:

LiveOps (Audit and Remediation) will support Oracle Linux 6, 7, 8 with both the UEK and RHCK kernel. 

For ThreatHunter (Enterprise EDR) and Defense (Endpoint Standard), Oracle Linux 6/7 with the RHCK kernel will be the only distributions/kernels supported upon initial release. 

What is the timing for Cb ThreatHunter (Cloud EDR) support for SLES12 and 15?  I still see them listed above as only supporting LiveOps (still).

 

Also, what about support for CbTH and CbD for RHEL/CentOS 8?  It's listed under LiveOps and it's been out for 6+ months.

 

when can we expect active protection( CB Defense & Threat Hunter) for ubuntu servers ?

Are there any updates to the availability of seeing events?  This feature was promised by the end of 2019 and we are more than halfway through 2020.  

@hhendrickson @cullom @maheshn89 

We are actively working on 4.x+ kernel support on RHEL8, SUSE, CentOS8, Oracle8, Amazon Linux and Ubuntu. The first milestone we are looking towards is Enterprise EDR support (formerly CB ThreatHunter) at the end of the year. Endpoint Standard (formerly CB Defense) will follow. 

@mlinde  - that's good to hear, but what about all my existing SUSE servers running kernel 3.10 that I really want to get consolidated under a single portal and agent (CbTH)?  Or are you saying that you will never have CbTH support for SUSE 12 and 15?

Hi

In Release Note for 2.8.0 , support for Audit and Remediation is mentioned as "Oracle Linux 6.0-8.2 on both the RHCK kernel and UEK kernel."

However, the above "CB LiveOps Supported Distribution" only has "8.0-8.1" for Orcale Linux 8.

Which is correct for Oracle Linux 8.2 support status?

@hhendrickson we will be adding support for SLES 12 and 15, but only on the 4.x+ kernels. Both SLES 12 and SLES 15 have shipped with kernels 4.x+ for the past couple years. As we move towards using an eBPF-based solution so we can support more distributions, a requirement will be on the newer kernel versions. 

 

@haro Oracle 8.2 is supported on LiveOps, updating this table now. 

What're the chances of getting Arch support added? I get that you would have to limit kernel versions and that's semi anti arch, but would still love to see it as a supported distro so I could use things like Manjaro.

is there an ETA for ubuntu 20 sensor kit on cb defense? right now i only see 16/18

Is there a specific estimated time of arrival for CB Defense Linux support Debian/Ubuntu ?

Hi,

we had patched our linux servers from 7.8 - 7.9 and all sensors went on to bypass mode due to "unsupported OS" is there a timeline on having this addressed in future sensor releases? if so, any ETA?


Thanks,

Venkat.

any updates on the Linux 7.9 support?

Looks like they just put it out.

We found a possible backend/console bug as we updated some it's across any version - seems to be general ui bug
query by agent version "2.10.1.373013"
"query asset" icon under action does not show
 
query by name of endpoint "hostname"
"query asset" icon under action displays properly
 

Anyone facing some issues on Ubuntu 16.04 after sensor upgrade to 2.10.1?

@ittommi and @mdeschenes I would advise opening a case if you are still having issues. That will be the fastest path to resolution. 

Thanks for the consolidated view for agent support. What is the timeline for Endpoint Standard support on Ubuntu and Amazon Linux?

Following up on da878t's comment, any word on when Endopint Standard support for Ubuntu and Centos 8 will be available?

The table here makes for a confusing read what does 5.4-* mean? 5.4 and above?
Could the page be updated to make this clearer?

Why no EDR column like for the Windows OSs? What versions of Linux is EDR supported on? 

@jpenrod This matrix is specifically for the Carbon Black Cloud products.

For the EDR and App Control Linux version support you can view them here: https://community.carbonblack.com/t5/Documentation-Downloads/CB-Response-Sensors-amp-CB-Protection-A...

Hope this helps.

Any plan to support latest linux kernel versions ?

Hi  @djay  @bwuchte 

For SUSE/SLES OS,
download sensor kits via console says for SUSE 12 and 15 . does it mean CB cloud sensor supports SUSE/SLES 12 and above (as per console) or strictly 12.2 and above (as per supported OS matrix here? )

@BalguriV Hello, the listed distributions are the major ones, we clarify the minor version of that distro here. For SUSE/SLES 12 that is 12.2-12.5 and for SUSE/SLES 15 that is 15.0-15.1 . It would make for a very cluttered interface if we listed all of the minor versions supported in the sensor kit download menu.

thank you @alpopov for clarifying. 
Also, when do VMWare/CB sensors normally catch up with new OS releases? 

Hi,

I did some research but got little confused, I would need some help here.

My initial question was - Are EDR sensor supported on Amazon Linux 1 and Amazon Linux 2?

After doing some research I am confused if there are two types of sensors available, I can see on our CB response portal we are on sensor versions like 7.1.*  whereas on this page its mentioned 2.* for Linux systems.

On the doc page its mentioned " With the release of the Carbon Black Cloud v2.5.0 Linux sensor, Audit and Remediation and Enterprise EDR are supported on the Linux platform. The Carbon Black Cloud Linux sensor is highly modularized. It can support independent runtime enablement of Enterprise EDR and Audit and Remediation. You can manually customize the installer package to install only desired features. To install Audit and Remediation only, see Customizing the Carbon Black Cloud Linux feature selection."  Does that mean we can use this sensor to direct to our CB response portal?

Any way to find the 2.13.0 to test on Debian 11?

It's not available in the "Sensor Options" Download section in the portal yet.

Do any one can help me with the version of CB defense sensor that supports Linux Suse 11 SP2

@syesuna1 - By the looks of things from the matrix above, SUSE 11 has no Support - Looks like it starts at 12.2

Article Information
Author:
Creation Date:
‎12-22-2020
Views:
75851