Knowledge Base

Yes

Environment

Is access to content.carbonblack.io required?

Yes

In the Sensor versions called out above, Enterprise EDR, AMSI Prevention, Unified Binary Store, Device Protection, Host Based Firewall, and XDR must be able to access content.carbonblack.io in order to function correctly
More functions of the sensor (both new and pre-existing) are expected to rely on content.carbonblack.io in future sensor updates

Although TCP requires bi-directional/full duplex communications, only outbound traffic to content.carbonblack.io is required from the sensor’s perspective (the sensor initiates the TCP handshake), as the perimeter stateful firewall should perform NAT and route traffic accordingly
The Unified Binary Store (UBS) is a centralized service that is part of the Carbon Black Cloud
- UBS is responsible for storing all binaries and corresponding metadata (e.g. Signed, Product, CA and Publisher) for those binaries
- UBS is included with Enterprise EDR
Microsoft Anti-Malware Scan Interface (AMSI) prevention and visibility extends default prevention capabilities for script-based Windows attacks by dynamically leveraging AMSI metadata to define and configure prevention logic
AMSI prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks
AMSI prevention is packaged in with Endpoint Standard, but it is only supported on Windows 10 and greater and requires sensor version 3.6 and above
The content above and future functionality is made available via content manifests from content.carbonblack.io