Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (was CB Defense)
- Enterprise EDR (was CB ThreatHunter)
- Audit and Remediation (was CB LiveOps)
- Managed Detection (was CB ThreatSight)
- Carbon Black Cloud Windows Sensor: 3.6 and Higher
- Microsoft Windows: All Supported Versions
Question
Is access to content.carbonblack.io required?
Answer
Yes
- In sensor version 3.6 and above, Enterprise EDR, AMSI Prevention, and Unified Binary Store must be able to access content.carbonblack.io in order to function correctly
- More functions of the sensor (both new and pre-existing) are expected to rely on content.carbonblack.io in future sensor updates
Additional Notes
- Although TCP requires bi-directional/full duplex communications, only outbound traffic to content.carbonblack.io is required from the sensor’s perspective (the sensor initiates the TCP handshake), as the perimeter stateful firewall should perform NAT and route traffic accordingly
- The Unified Binary Store (UBS) is a centralized service that is part of the Carbon Black Cloud
- UBS is responsible for storing all binaries and corresponding metadata (e.g. Signed, Product, CA and Publisher) for those binaries
- UBS is included with Enterprise EDR
- Microsoft Anti-Malware Scan Interface (AMSI) prevention and visibility extends default prevention capabilities for script-based Windows attacks by dynamically leveraging AMSI metadata to define and configure prevention logic
- AMSI prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks
- AMSI prevention is packaged in with Endpoint Standard, but it is only supported on Windows 10 and greater and requires sensor version 3.6 and above
- The content above and future functionality is made available via content manifests from content.carbonblack.io
Related Content