Environment

• Cb Defense Sensor: 2.0.1.x and higher (released in Dec, 2016)
• Cb Defense Web Console: All Versions
• Microsoft Windows: All Supported Versions

 

The option described in this article is NOT applicable to Cb Defense Sensor for MacOS or Linux

 

Question

What is the sensor behavior when the policy setting "Delay Execute for Cloud Scan" is enabled or disabled?

 

Question 1

What is the sensor behavior when "Delay Execute for Cloud Scan" is enabled?

 

Answer

In sensor versions 2.0.1.x and later, the sensor will delay execution of any files which are added to the machine after the sensor is installed. This option does not apply to pre-existing files on the machine. However, the sensor will also delay execution of any files on a USB drive, even if those files were there before the sensor was installed.

 

• If a reputation IS returned from the CB Defense Cloud within 15 seconds, the application will then be allowed or disallowed depending on the exact reputation retrieved and the policy settings defined in the CB Defense Dashboard. It usually takes no more than a couple seconds to receive a reputation from the cloud.
• If a reputation IS NOT returned within 15 seconds, the application will be assigned a reputation based on the results returned from the Local Scanner (if enabled). However, if the application has never been seen before by either the Local Scanner or the Cloud, then it will be assigned a reputation of UNKNOWN.

 

This option can be enabled on the CB Defense Dashboard under Policies > [Policy Name]. Check the "Delay Execute for Cloud Scan" setting, and Save this Policy change.

An application will rarely return with an UNKNOWN reputation if "On-Access File Scan Mode" is enabled in the "Local Scan Settings" tab in the Policy.

For a complete list of reputations, please refer to the most recent Cb Defense User Guide​.

 

Question 2

What is the sensor behavior when "Delay Execute for Cloud Scan" is disabled?

 

Answer

When "Delay Execute for Cloud Scan" is disabled, then any new files (files which are added to the machine after the sensor is installed), or any files on a USB drive may be allowed to run for the time being, unless the application is disallowed based on the rules defined in the Policy to which the Sensor belongs. Once a reputation is returned for the application executable, then the sensor will take action to allow or continue blocking the executable depending on the reputation retrieved and the Policy settings defined in the CB Defense Web console.

 

Question 3

Does "Delay Execute for Cloud Scan" apply when Local Scan is inactive?

 

Answer

No. By design the setting will only apply if Local Scan is active on the device. Subsequently, disabling this setting without having Local Scan enabled may result in unexpected delayed execution of new/recently updated applications and OS components. To check whether Local Scan is active on a device, locate the device in question under Settings -> Sensor Management and check if it has Scan Engine version listed (i.e. AV signatures installed).

 

Example of a device which has Local Scan enabled:

 

Example of a device which doesn't have Local Scan enabled:

 

Additional Notes

There is a known issue which prevents executables with defined reputations to run if "Delay Execute for Cloud Scan" is disabled.  Due to a design limitation, the sensor may not receive the updated reputation if "Delay Execute for Cloud Scan" is disabled on the Policy. In this case, the sensor may continue to block whitelisted applications and, in some cases, an increase of Alerts may be observed. At this time, the solution for this issue is to enable "Delay Execute for Cloud Scan". For instructions on how to enable Local Scan and install AV signatures, please see Cb Defense: How To Configure Local AV Scan​, Cb Defense: How to Download the AV Signature Pack and Configure Updates for Local Scan​, Cb Defense: Best Practices for Deploying Local Scanner​ and Cb Defense: How To Set Up A Local Mirror for AV Signature Updates​.

 

Related Content

Cb Defense: Methods to Whitelist Applications

Cb Defense: How to Utilize Certs Whitelist Feature

Cb Defense: How to Utilize Certs Whitelist Feature

Cb Defense: How To Configure Local AV Scan​​

Cb Defense: Best Practices for Deploying Local Scanner

Cb Defense: How to Download the AV Signature Pack and Configure Updates for Local Scan​

Cb Defense: How To Set Up A Local Mirror for AV Signature Updates