Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

DATE CHANGE: Update to the Carbon Black Defense Local Scanning Engine

DATE CHANGE: Update to the Carbon Black Defense Local Scanning Engine

NOTE: Due to additional Quality Assurance measures Carbon Black will be delaying the release of the updated local scanner package by one day to April 26th. The post has been updated below.


On April 26th Carbon Black will be providing an update to the local scanner deployed to Microsoft Windows Operating Systems that will reduce the size of the signature database by 25% percent! This update will result in a reduction of the memory footprint and improved overall performance of the Cb Defense sensor.

In order to achieve the reduction Carbon Black will push a one time update to all sensors that is 155 MB in size. This update will take place on Tuesday April 25th and after the initial delivery all subsequent updates will return to the kilobyte range.

Due to the increased size of this update customers with large deployments or reduced network bandwidth may experience temporary network congestion when pulling this update from the cloud. As a result Carbon Black will make available a special installer that can be internally deployed through a systems management tool such as Microsoft’s SCCM.

The standalone installer is now available here

The installer will also be available through the Settings -> Enrollment -> Manage Sensors. The proper date for this updated installer package is 20170425.

If there is concern about the amount of traffic that this update will generate on your network Carbon Black recommends the following actions:

  1. Install a local mirror server to insure that the update is only pulled externally a single time. Instructions can be found here.
  2. Temporarily disable updates using policy settings to the local scanner prior to the April 25th delivery date to avoid having the sensors pull the update from the cloud. Then deploy update using the provided standalone installer in a controlled manner then re-enable signature updates via policy settings. Please see the following knowledge base document for more information. https://community.carbonblack.com/docs/DOC-5786
  3. Increase the window of time between updates to spread the update over a larger period of time. This can be configured from the Local Scan Settings tab within a policy. Options include 2, 4, 8, 12 and 24 hours.
Comments

Will this update address the Cert White listing issues?

Hi matt.bricker​,

The update referenced in the announcement above is only for signatures used by the local scanner component of Cb Defense sensor. See more in Cb Defense: How To Configure Local AV Scan​, Cb Defense: How to Download the AV Signature Pack and Configure Updates for Local Scan and Cb Defense: How To Set Up A Local Mirror for AV Signature Updates​.

The Certs whitelisting functionality is unaffected by this particular update, but it will see a number of bug fixes and improvements in the next Windows sensor version (2.0.4.x) that will be released in the coming weeks. Please follow Customer Product Status & Announcements to be notified when the update is available.

Thank you.

--

Alexey Popov | Technical Support Manager, Cb Defense

I just want to confirm that this is not applicable to CB Enterprise Response, correct?

This will affect enterprise response cloud customers?

You are correct, rkilgore​. The announcement above is only applicable to Cb Defense. It does not involve other products.

--

Alexey Popov | Technical Support Manager, Cb Defense

mikemiller1​, the signature update mentioned in the announcement above is specific to Cb Defense. It does not apply to Cb Response Cloud.

--

Alexey Popov | Technical Support Manager, Cb Defense

What drove the decision to push this update on a Tuesday? I'm sure a majority of customers have their peak production periods in the middle of the week, and it seems a weekend would have been better tailored for such a big push?

nkushnar​, thank you for your question. The update will be posted on Tuesday night after normal business hours. We felt providing the update at this time would give our customers the best opportunity to monitor the update over the course of the week as devices will need to be on and internet connected to receive the update. If this is not a good time please follow the steps in the post above to have tighter control over when the update is deployed in your organization.

I agree, a Tuesday schedule makes sense. Everyone is coming into messes that happened over the weekend on Monday but Tuesday gives enought time to see if anything breaks over the course of a week

So where is the link to the installer for this update?  Shouldn't that be available before you turn on the auto update?

You can find the installer under your Cb Defense login area > Enrollment > Manage Sensors > AV Signature Pack. This is an update to the definitions not the application, as such this is controlled via the policy not the enrollment area.

Thank you, it is now showing as an option to download.

How do we tell that the sensor is updated? What is the scan engine version we should be looking for?

I believe that you should see your avEngine at or above --- vdf:8.14.1.190

All,

The standalone installer is now available here

The installer will also be available through the Settings -> Enrollment -> Manage Sensors. The proper date for this updated installer package is 20170425.

The body of this post has been updated with these two locations as well.

Hi dgibson​,

cstamand​ is correct. You will find the download link for the updated standalone signature installer under Settings -> Enrollment -> Manage Sensors -> AV Signature Pack. The filename will be CbDefenseSig-20170425.exe

Cb_Defense___Enrollment.png

Since Cb Defense customer orgs span multiple backend systems, I have verified that the updated installer is available to everyone who is logging in to the product using any of the following URLs: https://dashboard.confer.net​, https://defense.conferdeploy.net​, https://defense-prod05.conferdeploy.net, https://defense-prod05.conferdeploy.net

dtolar​, to answer your question - once the signature update is installed successfully, expanding the information for a device under Enrollment will show the following version: Scan Engine:4.5.2.234-ave.8.3.44.42:avpack.8.4.2.58:vdf:8.14.1.190

Thanks for your questions. Please comment if additional information or a clarification is needed.

--

Alexey Popov | Technical Support Manager, Cb Defense

Article Information
Author:
Creation Date:
‎04-20-2017
Views:
8172