Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Is access to content.carbonblack.io required?

Carbon Black Cloud: Is access to content.carbonblack.io required?

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
    • Enterprise EDR
    • Audit and Remediation
    • Managed Detection/Managed Detection & Response
    • Prevention
    • Workload Protection
    • Device Protection
    • Host Based Firewall
    • XDR
  • Carbon Black Cloud Sensor (Linux): v2.12.x.x and Higher
  • Carbon Black Cloud Sensor (macOS): v3.5.3.x and Higher
  • Carbon Black Cloud Sensor (Windows): v3.6.0.x and Higher
  • Apple macOS: All Support Versions
  • Linux: All Support Versions
  • Microsoft Windows: All Support Versions

Question

Is access to content.carbonblack.io required?

Answer

Yes
  • In the Sensor versions called out above, Enterprise EDR, AMSI Prevention, Unified Binary Store, Device Protection, Host Based Firewall, and XDR must be able to access content.carbonblack.io in order to function correctly
  • More functions of the sensor (both new and pre-existing) are expected to rely on content.carbonblack.io in future sensor updates

Additional Notes

  • Although TCP requires bi-directional/full duplex communications, only outbound traffic to content.carbonblack.io is required from the sensor’s perspective (the sensor initiates the TCP handshake), as the perimeter stateful firewall should perform NAT and route traffic accordingly
  • The Unified Binary Store (UBS) is a centralized service that is part of the Carbon Black Cloud
    • UBS is responsible for storing all binaries and corresponding metadata (e.g. Signed, Product, CA and Publisher) for those binaries
    • UBS is included with Enterprise EDR
  • Microsoft Anti-Malware Scan Interface (AMSI) prevention and visibility extends default prevention capabilities for script-based Windows attacks by dynamically leveraging AMSI metadata to define and configure prevention logic
  • AMSI prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks
  • AMSI prevention is packaged in with Endpoint Standard, but it is only supported on Windows 10 and greater and requires sensor version 3.6 and above
  • The content above and future functionality is made available via content manifests from content.carbonblack.io

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-08-2020
Views:
4183
Contributors