msiexec.exe /qn /i CbDefense-setup.msi /L*vx log.txt <CbDefense_msi_command_options>
msiexec /qn /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678
msiexec /qn /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1
msiexec /qn /i "C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi" /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1 BYPASS=1
|Command Options (case sensitive)||Values||Notes|
|AMSI=value||1/0 or True/False||Default is true (enable AMSI) in Sensor 3.6 and above; turning off this feature will prevent Carbon Black Vmware AMSI DLL, cbamsi.dll, from loading into any instances of AMSI-registered processes (e.g. powershell) and thus sensor will not detect or block any AMSI activity|
Default is 1, which, in sensors 184.108.40.2063 and above, will allow to generate a kernel space memory dump (and user space dump, if kernel debugging is enabled) from a LiveResponse session. For information on enabling kernel debugging please refer to Microsoft's documentation.
Starting with the 220.127.116.110 sensor, the parameter AUTO_CONFIG_MEM_DUMP=0 allows administrators to opt-out of the user/kernel memory dump configuration when disk storage is limited, as the page file will take up the same space as the size of the installed RAM.
If a full memory dump is required, follow the instructions here, please note a reboot will be required.
|AUTO_UPDATE=value||1/0 or True/False||Default is true (enable auto update); turning this off will prevent the update from being pushed from the backend.|
|BACKGROUND_SCAN=value||1/0 or True/False||Default is true.|
|BASE_IMAGE=value||1/0 or True/False||Default is false; the installed image is a base image that can be cloned to child images. This option is not supported for VDI.|
|BYPASS=value||1/0 or True/False||Default is false; setting it to true will enable bypass mode. In bypass mode the sensor does not send any data to the cloud; it functions in a passive manner and does not interfere with or monitor the applications on the endpoint. Install the sensor in bypass mode to test for interoperability issues.|
|CLI_USERS=sid||SID value for authenticated user or group||Use this field to enable the RepCLI tool. Any member in a specified user group can use the authenticated RepCLI commands. This field currently accepts only one SID value.|
|COMPANY_CODE=value||8-character code for 1.x and 2.x sensor version or Longer code for 3.x sensor version
If a special character is included, the Company Code should be enclosed in double-quotes
Required for command line installations. Navigate to Endpoints > Sensor Options > Company Codes to access or create a new Company Code.
|CONNECT_LIMIT=value||Number of connections per hour||Optional; default is no limit.|
|CURL_CRL_CHECK=value||1/0 or True/False||
This options is available in 18.104.22.1685 and higher Sensors only and can be used to disable the CRL check introduced with the 3.3.x.x Sensor. This option is covered in depth here
|DELAY_SIG_DOWNLOAD=value||1/0||Default is delay signature/ definition download. We recommend that you do not change the default value.|
|CBLR_KILL=value||1/0||A value of 1 disables Live Response functionality for the sensor. The default value is 0.|
|FILE_UPLOAD_LIMIT=value||4-byte integer representing number of megabytes||Example: value of 3 is a limit of 3*1024*1024 bytes; default value is 5.|
|GROUP_NAME=value||String value||Optional policy name assignment. Enclose this value with double quotes if the policy name includes spaces. Use this parameter for Windows sensors 3.7 and earlier. For Windows sensors 3.8+, use the POLICY_NAME parameter instead.|
|HIDE_COMMAND_LINES=value||1/0||Obfuscates command line inputs. Default is 0.|
|LAST_ATTEMPT_PROXY_ SERVER=value||Value example: 10.101.100.99:8080||Optional. Sensor will attempt cloud access by using this setting when all other methods fail (including dynamic proxy detection).|
|LEARNING_MODE=value||Value is the number of hours after sensor install to limit event types. This is a mechanism for reducing the load on the backend by dropping some report types after initial install. Generally, more reports are sent to the backend soon after sensor install because the sensor reports on newly detected hashes. Learning mode reports only on file and process behavior while the sensor is detecting hashes. Reporting of API, registry, and network behavior is dropped during this period.||Optional; default is disabled.|
Allows Sensor to be installed without a connection to the backend. Sensor will download policy and register with the backend when a connection is established
|This option is available in 3.5.x.x and higher Sensor only. The command is optional; default is disabled.|
|POLICY_NAME=value||Optional policy name assignment. Enclose this value with double quotes if the policy name includes spaces. Use this parameter for Windows sensors 3.8+. For Windows sensors 3.7 and earlier, use the GROUP_NAME parameter instead.|
|QUEUE_SIZE=value||Event backlog in MB||Optional; default is 100MB; this value does not include SSL overhead.|
|RATE_LIMIT=value||KB per hour||Optional; default is No Limit.|
|VDI=value||1/0 or true/false||Default is false. VDI=1 has been deprecated on Sensor versions 3.3.x.x and higher in favor of RepCLI command options as noted here|
|USER_EMAIL=value||Email address Example: email@example.com||Optional|
Carbon Black Cloud Sensor Support
Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?
Carbon Black Cloud: How to Locate the Sensor Installation Guide
Carbon Black Cloud: How to Get Started With RepCLI
Endpoint Standard: How to Perform an Unattended Installation of the Mac Sensor
Carbon Black Cloud: How to Install Linux Sensor Manually