Browse your product documentation including release notes and installers
* Note: This is an illustrative screen shot, the version numbers might not reflect latest versions on production environment.
In a few days, Carbon Black will be providing an update to the local scanner deployed to Microsoft Windows Operating Systems that will apply a new technology, that will reduce the size of the signature database by more than 70% percent (without losing any coverage of malicious threats)! This update will result in a reduction of the local file size on the disk (as well as memory usage) and will improve overall scan performance.
This update will first come in the form of a standalone installer so that the rollout can be managed according as your organization sees fit. After the standalone installer is provided, all sensors will undergo an automatic update within a week or two. The exact dates will be provided in a couple of days.
Carbon Black expects this update to be 62 MB in size, and to have a minimal impact.
Although we do not anticipate this update to cause any impact during upgrade, customers with large deployments or reduced network bandwidth may experience temporary network congestion when pulling this update from the cloud.
If there is concern about the amount of traffic that this update will generate on your network, Carbon Black recommends the Manual instructions outlined below:
In order to achieve this performance improvement, please follow the below steps for Automated and Manual download:
Standalone Installer: Installer
Do you have any version number or release date information of this AV signature pack?
I still see '20171201' version of signature pack on Prod02 and Prod05 servers, and want to make sure I get the correct version applied.
Also, is there a way check if the intended version of signature pack is applied?
I know that Cb Defense: Verify the Latest Local Scanner Signature Version article can be used for vdf version checks, but is that the correct indicator to check for?
We do not have an official version or specific release date for all Production environments at this time. I will be sure to update this post when that information becomes available.
The version number will likely be '20180710' but that is not official yet.
Thanks for the post.
Are there any known issues that this is intended to resolve? Sluggish behavior, etc.? You mention an "improvement in scan performance". Can you elaborate on that one...how does it improve scan performance?
Also, is this update intended to resolve the issue with the 188.8.131.52 version of the CbD sensor not updating the VRF file as described in the article below?
We have "Allow Signature Updates" disabled, so this will not affect us, correct?
Why would you disable signature updates? Just curious...
cbd2020 this update is not intended to resolve that issue, however, we are working on a patch to the 3.2 sensor that should resolve it before this date.
I apologize for the inconvenience.
Because we rolled the agent out in as low impactful way as possible, as we are still explaining ourselves (5 years later) why Cb Protection is so hard on machines. It's not a permanent setting, but we are still in the POC phase, and haven't gotten past the deployment part yet.
Why not bundle this update with the 3.2 fix that your working on, that way, we don't have to go through two different updates.
Is this still on track for a tomorrow release? We have to disable signature updates and then deploy through our software release process (SCCM). Would like to have updates disabled for as short a time as is possible. Any updates?
The team is working on the standalone installer now. We hope to provide it within the next couple of days. The automatic rollout is currently scheduled to done about a week or two after the standalone installer is provided. I'll provide additional updates in the coming days regarding timelines.
Question - how much will the CbD sensor download each day with regard to signature updates after this update is released versus what we see today?
I ask because if it's minimal, I may opt to simplify our deployment by pointing all my sensors to the cloud...
You could get rough estimate of the download size by looking at the output from the following command, which to be run from command prompt:
find "size" "C:\Program Files\Confer\scanner\upd.log"
You couldn't have chosen a more ominous date?
Installed - no issues thus far
I have tried the manual update of signature pack available from AV-Sig-Pack-Update-20180711 , and the update seemed to apply correctly.
But right after the update, the vdf files seems to have been rolled back to old version.
Here snippet from related log files:
07:51:15 Versions: Api 184.108.40.2064, ave.220.127.116.11:avpack.18.104.22.168:vdf.22.214.171.124:apc.126.96.36.199
09:17:53 Versions: Api 188.8.131.524, ave.184.108.40.206:avpack.220.127.116.11:vdf.18.104.22.168:apc.22.214.171.124
09:31:00 Versions: Api 126.96.36.1994, ave.188.8.131.52:avpack.184.108.40.206:vdf.220.127.116.11:apc.18.104.22.168
09:29:27 Callback: C:\Program Files\Confer\scanner\Data_0\aevdf.dat 22.214.171.124 != 126.96.36.199 -> File will be rolled back
09:29:27 Callback: C:\Program Files\Confer\scanner\Data_0\xbv00000.vdf 188.8.131.52 != 184.108.40.206 -> File will be rolled back
09:29:27 Callback: C:\Program Files\Confer\scanner\Data_0\xbv00001.vdf 220.127.116.11 != 18.104.22.168 -> File will be rolled back
09:29:29 Callback: C:\Program Files\Confer\scanner\Data_0\xbv00255.vdf 22.214.171.124 != 126.96.36.199 -> File will be rolled back
Should I have waited until the official release date of July 13th ?
@haro Did you re-enable auto updates after manual update?
Oh , I didn't realize I had to turn the auto-updates off.
Sorry for the noise.
No problem at all! I always welcome the feedback.
As always, thanks for your help!
lol...thanks for the update. I did just notice a portal notification that referenced 7/13 for the update so you may want to edit that to reflect 7/16.
Should we be concerned with unexpected reboots of servers? I know the document states there will be no impact, but...
Carbon Black what is the back out plan?
In order to control the update, you can disable the auto-update setting on sensors, then follow the steps for manual install on a group of sensors to test it out as noted above, and continue your staggered roll out.
Has anyone experienced issues with the local scanning engine update? I only received one report of a non-responsive endpoint but I suspect it was unrelated.
Question for CB - when we generate a report of our sensors in CSV format from the portal, what do we look at to see if it's running the new engine?
I see this but am not sure what current engine should be.
In my talks with the CB personnel that have been working on a few cases with me - VDF: anything 8.15+ indicate new scanning engine update has been picked up.
Looks like this does not run silent, is there a switch that can be used to run silently so end users are not inconvenienced?
From Cb Defense: Best Practices for Deploying Local Scanner , you should be able to use the following.