Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Mirror Server Utility: v3.0
- Microsoft Windows: All Supported Versions
Objective
Provide high-level steps to configure a Windows mirror server for Signature Updates for the Endpoint Standard Sensor
Resolution
Configure Mirror Server
- Ensure traffic to the Signature Update Server URL is allowed through any proxy/firewall without packet inspection (TCP/80 or TCP/443)
updates2.cdc.carbonblack.io
- Go to the following directory on a system with a sensor installed:
C:\Program Files\Confer\scanner
- Zip the following files and copy them to your Mirror Server
avupdate.dll
HBEDV.KEY
msvcr120.dll
scew.dll
upd.exe
upd_msg.avr
- Download cbdefense_mirror_win_x64_v3.0.zip
- Unzip the cbdefense_mirror_win_x64_v3.0.zip, the following Sample files will be available
do_update.bat
do_update_ssl.bat
- Create a directory for AV Signature Updates to be served to endpoints, and copy the files above into this path
Example:
C:\inetpub\wwwroot\CBD_SignatureUpdates
- Open do_update.bat and set 'outdir' to the path above (If it is desired to use SSL, use do_update_ssl.bat)
Example:
SET outdir=C:\inetpub\wwwroot\CBD_SignatureUpdates
- Configure the Signature Mirror by running the following commands in an elevated command prompt
C:\>cd C:\inetpub\wwwroot\CBD_SignatureUpdates
C:\inetpub\wwwroot\CBD_SignatureUpdates>do_update.bat
NOTE: Once do_update.bat has been run, the following folders will appear
32
64
ave2
idx
x_vdf
- Launch Task Scheduler
- Right-click Task Scheduler Library and select 'Create Task'
- Create Task > General tab
- Provide a Name and Description as desired
- Select 'Run whether user is logged on or not' and 'Run with highest privileges'
- Create Task > Triggers tab
- Add New trigger to run 'Daily' at desired start time
- 'Repeat task every: 1 hour' 'for a duration of: Indefinitely'
- Check 'Enabled'
- Click OK
- Create Task > Actions tab
- Add New Action > Start a program
- Set the Program/script to 'do_update.bat' from step 5 above (either via Browse or paste path manually)
- Create Task > Conditions tab
- Check
- 'Start the task only if the computer is on AC power'
- 'Stop if the computer switches to battery power'
- 'Wake the computer to run this task'
- Create Task > Settings tab
- Check
- 'Allow task to be run on demand'
- 'Run task as soon as possible after a scheduled start is missed'
- 'If the task fails, restart every' > 1 minute, 'Attempt to restart up to' > 3 times
- 'If the running task does not end when requested, force it to stop'
- Create IIS Website
- Open the IIS Manager
- Right-click on sites and select Add Website
- On the Site name, type a label to identify that this website is for the AV Signature Update (Keep the DefaultAppPool for the Application Pool field)
Example:
CBD_SignatureUpdates
- On the Physical Path, type or browse to the directory from step 4 where the AV Signature Update would go
Example:
C:\inetpub\wwwroot\CBD_SignatureUpdates
- Keep Type = http, IP address = All Unassigned, and Port = 80
- On Host name field, type the name of the machine being used as the mirror
- Keep the check on "Start Website immediately"
- Click OK
- Under Sites on the navigation pane, select the site name from above (9.C)
- Double-click Directory Browsing and click Enable
- Configure new MIME type in IIS
- Double click 'MIME Types'
- Add a new MIME type for extension of '.idx' with type of 'text/plain'
- Reset IIS via admin command prompt by running this command
iisreset
- Test URL from step 9 by opening a browser and typing http://{host name from step 9.C} (should see the folders from step 6)
Update Policy
- Log into CBC Console
- Go to Enforce > Policies
- Click on the desired Policy's name
- Click on the Local Scan tab
- Ensure 'Allow Signature Updates' is set to Enabled
- Add the URL for the Local Mirror Server to the 'Update Servers' settings for Internal and Offsite devices as desired
- Check the box to the right of the desired URL to set it as the Preferred Server
- Remove any URLs which are not desired
Additional Notes
- Recommended schedule for pulling down updates is hourly
- Recommended 2Ghz CPU and 4GB of RAM for Local Mirror server, in order to service 10k endpoints
- We support the usage of a mirror server's configuration in a policy but do not the support setup or maintenance of the server itself. Please use sample scripts and high-level instructions to assist with the process but be sure to follow the best practices for securing IIS.
Related Content