Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Rolling Out the July 17 Release of Cb Defense

Rolling Out the July 17 Release of Cb Defense

This week we’re happy to announce the rollout of the July ‘17 update of Cb Defense.

Following the May ‘17 release, we heard a tremendous amount of positive feedback on the new user interface and Attack Visualization within Cb Defense. In the July release, we have enhanced the user experience for the capabilities that were introduced in May, continued to evolve the prevention capabilities of CB Defense, and made it easier for new users of Cb Defense to get the most out of the solution.

For all current customers, here are the most significant functional improvements that will be rolling out in the first half of July. For more detailed information about what’s included in this release, you can view the Release Notes or the updated Cb Defense User Guide.

Faster Triage and Remediation

A handful of improvements to the Attack Visualization make it simpler than ever to completely understand each alert so users can take the proper actions to take to remediate, if necessary.

Following the May release, the most common suggestion from users was that the attack visualization should show where each attack was stopped. The attack visualization graph now uses icons to indicate where in the attack kill chain an operation was denied or terminated.

We have made a number of other enhancement to improve the usability of Cb Defense. These improvements help you better understand events within your environment and accelerate triage.

  • Page Header - Information at the very top of the Triage Alert page has been updated to align with the Threat Categories on the dashboard (Non-Malware, Potential Malware, Known Malware and PUPS).
  • Graph Legend - The legend for the attack visualization has been moved to the top of the graph to make it more accessible.
  • Selected Node - On the attack visualization graph, the selected node will now be highlighted to make it easier to see which process you’re viewing information about.
  • Take Action - The Take Action button has also been further emphasized to make it easier to find your best options for responding to an attack.

Improved Non-Malware Prevention

The July release includes a new policy rule for attacks that involve command interpreters, a commonly used tactic in document-based attacks.


For example, an attacker may attempt to launch a command interpreter from a Microsoft Office application as their primary way of controlling the endpoint. Cb Defense now allows these detected events to be used in policies to automatically deny the operation or terminate the process.

Supported command interpreters for this policy rule include:

  • cmd.exe
  • powershell.exe
  • wscript.exe/cscript.exe
  • wmic.exe
  • sh, bash, csh, zsh, tcsh, Python (macOS)

Microsoft Windows Security Center Compatibility

Cb Defense now features integration with Windows Security Center and is officially a Microsoft certified antivirus solution. This integration allows users and administrators to select Cb Defense as the primary virus protection solution in the Security and Maintenance screen on Windows machines.

At its core, this release focuses on making it easier than ever to respond to events that occur within your environment and improving prevention against modern attacks. We look forward to hearing feedback on this release and continuing to move forward together.


Want to see all of this in action? Check out our July release overview video from last week.

Comments

That's great! What's the date for the roll out and/or will it be staggered?

cstamand​ - Great question. The release will be a staggered roll-out over the course of the next week and a half.

Thanks! So who do I have to pay to get it first

I knew I should have set up that personal Bitcoin wallet during the holiday...

If you reach out to your Customer Success Manager they should be able to help answer any specific questions you have about the release (although I can't promise they'll be taking bribes just yet).

You could be rolling in that virtual currency and get that virtual getaway to that virtual vacation beach home you've always wanted! Though, I can only hand out jive points by the hundreds, that should be enough

Thanks Ben!

Hi, this sounds great.

I think I just got hit by the release and I am seeing all wrong data in my dashboard. The information on Bypass is coming out to be wrong and so on.

ssrivastava​, sorry to hear you are noticing an issue following the update. Please Create a Case in The Community with the details of what you are observing and our Support Team will help investigate/resolve that. Thank you.

--

Alexey Popov | Technical Support Manager, Cb Defense

Looks good so far. But can you bring back the show all items instead of going page by page? Also, I tried to enable Auto-update sensors and it stated it was not available yet.

I also just got the update, I'm also getting wrong data, the Endpoint total is adding all values together, and i have machines in bypass and these aren't showing up.

Very new threats/alerts items seem to be taking a bit to show within triage and investigate, even though they are showing up in alerts.

Auto update functionality has been disabled at this time (per the release notes), you can instead manually deploy via the console up to 100 end points.

pvolante​, the auto-update option requires additional optimization and has been temporarily disabled (see the note in Cb Defense: How to Enable Automatic Sensor Updates). As for "show all" option, could you please clarify which page of the UI you are referring to? A screenshot might be helpful. Thank you.

--

Alexey Popov | Technical Support Manager, Cb Defense

Also, selected node sticks when going back and triaging another alert.

Instead of the Jump to Page (Screenshot)      I would prefer to have the option of a drop down to either show 25, 50, or all items, where I can just scroll to view all events or items... Hope this makes sense...

Preventions and Detections category images are not showing up properly on the dashboard. Nodes are getting stuck on the triage page, meaning if I view an event in traige and then change to another event, the previous node I viewed remains in the selected node box. Triage tree doesn't show up on many events. It's hit or miss. Clicking the Investigate button on the triage page brings you to the Investigate page, but nothing populates in some cases. This too is hit or miss.

and there is no longer a total number of machines at the bottom...

Folks, Just so I'm clear, Is there any action on the Windows Administrators part to have the OS recognize CB Defense as a verified AV provider? (I lurked, couldn't find any mention on other threads.)

Today, the IT & Security Team has determined that it's still not being recognized. Now as I mentioned on another thread, I assume this is coming with time, and it's a Microsoft Tuesday patch away. However, I'd like to know if there's any action we need to take on our part to 'nudge' this AV recognition along at the endpoint level.

Thanks,

-Todd

Edit: I'm talking about Win10

I believe there's a setting in each policy

pvz

Correct. Screenshot:

Screen Shot 2017-07-11 at 10.58.21.jpg

I see - Thanks for that link, it really helps clarify. I see that my org hasn't received the upgrade just yet, so I guess I'll have to contact support to get this pushed. Thanks, Patrick.

Hi Todd,

You don't have to contact support as the cloud backends are being updated and you will see this as an option when the cloud backend you are on has received the update.

Kirk

It does not seem that Windows 7 views Cb Defense as an antivirus product.  Am I missing something or is this an accurate statement?  If I am correct, are you working on this?

Hi rortiz,

Currently, the upgrade you are looking for only applies for Windows 10 on this release. Next month though Windows 7 should be added. It did not make it in this release but it will be coming.

Kirk

Same topic also discussed here: https://community.carbonblack.com/docs/DOC-5827#comment-9328

--

Alexey Popov | Technical Support Manager, Cb Defense

Article Information
Author:
Creation Date:
‎07-06-2017
Views:
11628