CB Defense: How to configure a Local Mirror (Windows)

CB Defense: How to configure a Local Mirror (Windows)

Environment

  • PSC Console: All Versions
    • CB Defense
  • CB Defense Mirror Server Utility: v3.0
    • Microsoft Windows: All Supported Versions

Objective

Provide steps to configure a Windows mirror server for Signature Updates for the CB Defense Sensor

Resolution

Configure Mirror Server

  1. Ensure traffic to the Signature Update Server URL is allowed through any proxy/firewall without packet inspection (TCP/80 or TCP/443)
    updates2.cdc.carbonblack.io
  2. Download cbdefense_mirror_win_x64_v3.0.zip
  3. Unzip the cbdefense_mirror_win_x64_v3.0.zip, the following files will be available
    avupdate.dll
    do_update.bat
    do_update_ssl.bat
    HBEDV.KEY
    msvcr120.dl
    upd.exe
    upd_msg.avr
  4. Create a directory for AV Signature Updates to be served to endpoints, and copy the files above into this path
    Example:
    C:\inetpub\wwwroot\CBD_SignatureUpdates
  5. Open do_update.bat and set 'outdir' to the path above (If it is desired to use SSL, use do_update_ssl.bat)
    Example:
    SET outdir=C:\inetpub\wwwroot\CBD_SignatureUpdates
  6. Configure the Signature Mirror by running the following commands in an elevated command prompt
    C:\>cd C:\inetpub\wwwroot\CBD_SignatureUpdates
    
    C:\inetpub\wwwroot\CBD_SignatureUpdates>do_update.bat
    
    NOTE: Once do_update.bat has been run, the following folders will appear
    32
    64
    ave2
    idx
    x_vdf
    
  7. Launch Task Scheduler
  8. Right-click Task Scheduler Library and select 'Create Task'
    1. Create Task > General tab
      1. Provide a Name and Description as desired
      2. Select 'Run whether user is logged on or not' and 'Run with highest privileges'
    2. Create Task > Triggers tab
      1. Add New trigger to run 'Daily' at desired start time
      2. 'Repeat task every: 1 hour' 'for a duration of: Indefinitely'
      3. Check 'Enabled'
      4. Click OK
    3. Create Task > Actions tab
      1. Add New Action > Start a program
      2. Set the Program/script to 'do_update.bat' from step 5 above (either via Browse or paste path manually)
    4. Create Task > Conditions tab
      1. Check
        • 'Start the task only if the computer is on AC power'
        • 'Stop if the computer switches to battery power'
        • 'Wake the computer to run this task'
    5. Create Task > Settings tab
      1. Check
        • 'Allow task to be run on demand'
        • 'Run task as soon as possible after a scheduled start is missed'
        • 'If the task fails, restart every' > 1 minute, 'Attempt to restart up to' > 3 times
        • 'If the running task does not end when requested, force it to stop'
  9. Create IIS Website
    1. Open the IIS Manager
    2. Right-click on sites and select Add Website
    3. On the Site name, type a label to identify that this website is for the AV Signature Update (Keep the DefaultAppPool for the Application Pool field)
      Example:
      CBD_SignatureUpdates
    4. On the Physical Path, type or browse to the directory from step 4 where the AV Signature Update would go
      Example:
      C:\inetpub\wwwroot\CBD_SignatureUpdates
    5. Keep Type = http, IP address = All Unassigned, and Port = 80
    6. On Host name field, type the name of the machine being used as the mirror
    7. Keep the check on "Start Website immediately"
    8. Click OK
    9. Under Sites on the navigation pane, select the site name from above (9.C)
    10. Double-click Directory Browsing and click Enable
  10. Configure new MIME type in IIS
    1. Double click 'MIME Types'
    2. Add a new MIME type for extension of '.idx' with type of 'text/plain'
  11. Reset IIS via admin command prompt by running this command
    iisreset
  12. Test URL from step 9 by opening a browser and typing http://{host name from step 9.C} (should see the folders from step 6)
Update Policy
  1. Log into PSC Console
  2. Go to Enforce > Policies
  3. Click on the desired Policy's name
  4. Click on the Local Scan tab
  5. Ensure 'Allow Signature Updates' is set to Enabled
  6. Add the URL for the Local Mirror Server to the 'Update Servers' settings for Internal and Offsite devices as desired
  7. Check the box to the right of the desired URL to set it as the Master
  8. Remove any URLs which are not desired

Additional Notes

  • Recommended schedule for pulling down updates is hourly
  • Recommended 2Ghz CPU and 4GB of RAM for Local Mirror server, in order to service 10k endpoints

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎09-07-2020
Views:
2218
Contributors