Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How to configure a Local Mirror (Windows)

Endpoint Standard: How to configure a Local Mirror (Windows)

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
  • Carbon Black Cloud Mirror Server Utility: v3.0
    • Microsoft Windows: All Supported Versions

Objective

Provide high-level steps to configure a Windows mirror server for Signature Updates for the Endpoint Standard Sensor

Resolution

Configure Mirror Server

  1. Ensure traffic to the Signature Update Server URL is allowed through any proxy/firewall without packet inspection (TCP/80 or TCP/443)
    updates2.cdc.carbonblack.io
  2. Go to the following directory on a system with a sensor installed:
    C:\Program Files\Confer\scanner
  3. Zip the following files and copy them to your Mirror Server
    avupdate.dll
    HBEDV.KEY
    msvcr120.dll
    scew.dll
    upd.exe
    upd_msg.avr
  4. Download cbdefense_mirror_win_x64_v3.0.zip
  5. Unzip the cbdefense_mirror_win_x64_v3.0.zip, the following Sample files will be available
    do_update.bat
    do_update_ssl.bat
  6. Create a directory for AV Signature Updates to be served to endpoints, and copy the files above into this path
    Example:
    C:\inetpub\wwwroot\CBD_SignatureUpdates
  7. Open do_update.bat and set 'outdir' to the path above (If it is desired to use SSL, use do_update_ssl.bat)
    Example:
    SET outdir=C:\inetpub\wwwroot\CBD_SignatureUpdates
NOTE: If SSL is being used add "--no-dns-resolve" to the command lines in the do_update_ssl.bat or update_defs_ssl.sh script. See https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Mirror-server-will-not-connect... for more details
  1. Configure the Signature Mirror by running the following commands in an elevated command prompt
    C:\>cd C:\inetpub\wwwroot\CBD_SignatureUpdates
    
    C:\inetpub\wwwroot\CBD_SignatureUpdates>do_update.bat
    
    NOTE: Once do_update.bat has been run, the following folders will appear
    32
    64
    ave2
    idx
    x_vdf
    
  2. Launch Task Scheduler
  3. Right-click Task Scheduler Library and select 'Create Task'
    1. Create Task > General tab
      1. Provide a Name and Description as desired
      2. Select 'Run whether user is logged on or not' and 'Run with highest privileges'
    2. Create Task > Triggers tab
      1. Add New trigger to run 'Daily' at desired start time
      2. 'Repeat task every: 1 hour' 'for a duration of: Indefinitely'
      3. Check 'Enabled'
      4. Click OK
    3. Create Task > Actions tab
      1. Add New Action > Start a program
      2. Set the Program/script to 'do_update.bat' from step 5 above (either via Browse or paste path manually)
    4. Create Task > Conditions tab
      1. Check
        • 'Start the task only if the computer is on AC power'
        • 'Stop if the computer switches to battery power'
        • 'Wake the computer to run this task'
    5. Create Task > Settings tab
      1. Check
        • 'Allow task to be run on demand'
        • 'Run task as soon as possible after a scheduled start is missed'
        • 'If the task fails, restart every' > 1 minute, 'Attempt to restart up to' > 3 times
        • 'If the running task does not end when requested, force it to stop'
  4. Create IIS Website
    1. Open the IIS Manager
    2. Right-click on sites and select Add Website
    3. On the Site name, type a label to identify that this website is for the AV Signature Update (Keep the DefaultAppPool for the Application Pool field)
      Example:
      CBD_SignatureUpdates
    4. On the Physical Path, type or browse to the directory from step 4 where the AV Signature Update would go
      Example:
      C:\inetpub\wwwroot\CBD_SignatureUpdates
    5. Keep Type = http, IP address = All Unassigned, and Port = 80
    6. On Host name field, type the name of the machine being used as the mirror
    7. Keep the check on "Start Website immediately"
    8. Click OK
    9. Under Sites on the navigation pane, select the site name from above (9.C)
    10. Double-click Directory Browsing and click Enable
  5. Configure new MIME type in IIS
    1. Double click 'MIME Types'
    2. Add a new MIME type for extension of '.idx' with type of 'text/plain'
  6. Reset IIS via admin command prompt by running this command
    iisreset
  7. Test URL from step 9 by opening a browser and typing http://{host name from step 9.C} (should see the folders from step 6)
Update Policy
  1. Log into CBC Console
  2. Go to Enforce > Policies
  3. Click on the desired Policy's name
  4. Click on the Local Scan tab
  5. Ensure 'Allow Signature Updates' is set to Enabled
  6. Add the URL for the Local Mirror Server to the 'Update Servers' settings for Internal and Offsite devices as desired
  7. Check the box to the right of the desired URL to set it as the Preferred Server
  8. Remove any URLs which are not desired

Additional Notes

  • Recommended schedule for pulling down updates is hourly
  • Recommended 2Ghz CPU and 4GB of RAM for Local Mirror server, in order to service 10k endpoints
  • We support the usage of a mirror server's configuration in a policy but do not the support setup or maintenance of the server itself. Please use sample scripts and high-level instructions to assist with the process but be sure to follow the best practices for securing IIS. 

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎09-07-2020
Views:
6591
Contributors