logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

CB Defense: Are Background Scans Mandatory for High Availability Servers?

CB Defense: Are Background Scans Mandatory for High Availability Servers?

Environment

  • CB Defense Sensor: 2.0.x.x and Higher
  • High availability servers, such as file servers, domain controllers, exchange servers
  • Policy: Background Scan enabled (Expedited or Standard)

Question

Are background scans mandatory for high availability servers?

Answer

  • No, Cb Defense does not depend or rely on background scans in order to protect servers and workstations.
  • High availability servers are protected by CB Defense, regardless of whether background scan finishes or even if it ever executes.
  • Background scan is designed to improve performance on pre-existing files that will be executing on the system, but protection is not dependent upon this functionality.  Rather, Cb Defense leverages advanced behavioral analytics,and event stream prevention in order to keep machines protected.

Additional Notes

  • Although Standard Background Scans should not affect performance as it scans 20 files/minute at most, Expedited Background Scans will increase the use of endpoint resources and may affect machine performance
    • Expedited scan runs 100 files per minute and ignores device CPU
      • Limits on CPU usage are ignored in favor of speed
    • Standard scan runs 20 files per minute maximum, and backs off when CPU indicates the device is busy
      • Total System CPU must be below 50% and the CB Defense process must be using less that 15% of CPU for Background Scan to run
      • CPU Usage is reevaluated every second
  • It is at the system administrator's discretion to evaluate and test these settings, balancing security versus availability in order to determine the optimal configuration
  • A Standard Background Scan would take about 34 days to scan 1,000,000 files where an Expedited Scan will depend entirely up to the machine's resources but is intended to run at 5x the speed, roughly 7 days depending on system resources
  • The purpose of Background Scan is to detect and block first time execution for pre-existing malware files. While this helps, this is not a key tenet in CB Defense because pre-existing files already had the opportunity to run before sensor installation and any damage has already been done. Therefore, to avoid the impact of the 'Delay execute for Cloud Scan' Policy Setting, Sensors use pre-existing reputations as a condition to skip stalling those processes.

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
CB_Support
Creation Date:
‎01-10-2019
Views:
1029
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.