Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.8.x and Higher
- Microsoft Windows: All Supported Versions
Objective
Provide the information and steps to perform an unattended install
Resolution
- Download the desired sensor install kit
- Have the company registration code ready for the version you are installing
- Open an elevated command prompt and run the following command:
msiexec.exe /qn /i CbDefense-setup.msi /L*vx log.txt <CbDefense_msi_command_options>
Additional Notes
- Please note that unattended installation and use of the company code requires the /q command line option. If you run it without this option, the installer will launch with the user interface and will ask for the 6 digit activation code which is used in the attended Windows install of the Carbon Black Cloud Sensor.
EXAMPLES
- This is a basic unattended install:
msiexec /qn /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678
- This is an unattended install that will put the sensor into a specific policy that has already been created in the console:
msiexec /qn /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 POLICY_NAME=Phase1
- This is an unattended install that will install the sensor and assign it to a previously created sensor policy and install the sensor in a bypassed state:
msiexec /qn /i "C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi" /L*vx log.txt COMPANY_CODE=12345678 POLICY_NAME=Phase1 BYPASS=1
Supported Command Options
- Below is a list of the ONLY SUPPORTED command options. Any additional command options used and not listed here can cause the install to fail and will not be supported:
| Command Options (case sensitive) | Values | Notes |
|---|
| AMSI=value | 1/0 or True/False | Default is true (enable AMSI) in Sensor 3.6 and above; turning off this feature will prevent Carbon Black Vmware AMSI DLL, cbamsi.dll, from loading into any instances of AMSI-registered processes (e.g. powershell) and thus sensor will not detect or block any AMSI activity |
| AUTO_CONFIG_MEM_DUMP=Value | 1/0 |
Default is 1, which, in sensors 3.5.0.1523 and above, will allow to generate a kernel space memory dump (and user space dump, if kernel debugging is enabled) from a LiveResponse session. For information on enabling kernel debugging please refer to Microsoft's documentation.
Starting with the 3.5.0.1680 sensor, the parameter AUTO_CONFIG_MEM_DUMP=0 allows administrators to opt-out of the user/kernel memory dump configuration when disk storage is limited, as the page file will take up the same space as the size of the installed RAM.
If a full memory dump is required, follow the instructions here, please note a reboot will be required.
|
| AUTO_UPDATE=value | 1/0 or True/False | Default is true (enable auto update); turning this off will prevent the update from being pushed from the backend. |
| BACKGROUND_SCAN=value | 1/0 or True/False | Default is true. |
| BASE_IMAGE=value | 1/0 or True/False | Default is false; the installed image is a base image that can be cloned to child images. This option is not supported for VDI. |
| BYPASS=value | 1/0 or True/False | Default is false; setting it to true will enable bypass mode. In bypass mode the sensor does not send any data to the cloud; it functions in a passive manner and does not interfere with or monitor the applications on the endpoint. Install the sensor in bypass mode to test for interoperability issues. |
| CLI_USERS=sid | SID value for authenticated user or group | Use this field to enable the RepCLI tool. Any member in a specified user group can use the authenticated RepCLI commands. This field currently accepts only one SID value. |
| COMPANY_CODE=value | 8-character code for 1.x and 2.x sensor version or Longer code for 3.x sensor version
If a special character is included, the Company Code should be enclosed in double-quotes
COMPANY_CODE="<Company#Code>"
|
Required for command line installations. Navigate to Endpoints > Sensor Options > Company Codes to access or create a new Company Code.
|
| | | |
| CURL_CRL_CHECK=value | 1/0 or True/False |
This options is available in 3.4.0.925 and higher Sensors only and can be used to disable the CRL check introduced with the 3.3.x.x Sensor. This option is covered in depth here
|
| DELAY_SIG_DOWNLOAD=value | 1/0 | Default is delay signature/ definition download. We recommend that you do not change the default value. |
| CBLR_KILL=value | 1/0 | A value of 1 disables Live Response functionality for the sensor. The default value is 0. |
| FILE_UPLOAD_LIMIT=value | 4-byte integer representing number of megabytes | Example: value of 3 is a limit of 3*1024*1024 bytes; default value is 5. |
| GROUP_NAME=value | String value | Optional policy name assignment. Enclose this value with double quotes if the policy name includes spaces. Use this parameter for Windows sensors 3.7 and earlier. For Windows sensors 3.8+, use the POLICY_NAME parameter instead. |
| HIDE_COMMAND_LINES=value | 1/0 | Obfuscates command line inputs. Default is 0. |
| LAST_ATTEMPT_PROXY_ SERVER=value | Value example: 10.101.100.99:8080 | Optional. Sensor will attempt cloud access by using this setting when all other methods fail (including dynamic proxy detection). |
| | | |
| OFFLINE_INSTALL=value | 1/0
Allows Sensor to be installed without a connection to the backend. Sensor will download policy and register with the backend when a connection is established | This option is available in 3.5.x.x and higher Sensor only. The command is optional; default is disabled. |
POLICY_NAME=value
| | Optional policy name assignment. Enclose this value with double quotes if the policy name includes spaces. Use this parameter for Windows sensors 3.8+. For Windows sensors 3.7 and earlier, use the GROUP_NAME parameter instead.
Note: This parameter is case sensitive and should match the case used for the desired Policy in the Console. |
| PROXY_PASSWD=value | Proxy password | Optional |
| PROXY_SERVER=value | server:port | Optional |
| PROXY_USER=value | Proxy username | Optional |
| | | |
| | | |
| VDI=value | 1/0 or true/false | Default is false. VDI=1 has been deprecated on Sensor versions 3.3.x.x and higher in favor of RepCLI command options as noted here |
| USER_EMAIL=value | Email address Example: user@example.com | Optional |
Related Content
