Cb Defense: What is the "Delay Execute for Cloud Scan" policy setting?
Cb Defense Sensor: 2.0.1.x and higher (released in Dec, 2016)
Cb Defense Web Console: All Versions
Microsoft Windows: All Supported Versions
The option described in this article is NOT applicable to Cb Defense Sensor for MacOS or Linux
What is the sensor behavior when the policy setting "Delay Execute for Cloud Scan" is enabled or disabled?
What is the sensor behavior when "Delay Execute for Cloud Scan" is enabled?
In sensor versions 2.0.1.x and later, the sensor will delay execution of any files which are added to the machine after the sensor is installed. This option does not apply to pre-existing files on the machine. However, the sensor will also delay execution of any files on a USB drive, even if those files were there before the sensor was installed.
If a reputation IS returned from the CB Defense Cloud within 15 seconds, the application will then be allowed or disallowed depending on the exact reputation retrieved and the policy settings defined in the CB Defense Dashboard. It usually takes no more than a couple seconds to receive a reputation from the cloud.
If a reputation IS NOT returned within 15 seconds, the application will be assigned a reputation based on the results returned from the Local Scanner (if enabled). However, if the application has never been seen before by either the Local Scanner or the Cloud, then it will be assigned a reputation of UNKNOWN.
This option can be enabled on the CB Defense Dashboard under Policies > [Policy Name]. Check the "Delay Execute for Cloud Scan" setting, and Save this Policy change.
An application will rarely return with an UNKNOWN reputation if "On-Access File Scan Mode" is enabled in the "Local Scan Settings" tab in the Policy.
What is the sensor behavior when "Delay Execute for Cloud Scan" is disabled?
When "Delay Execute for Cloud Scan" is disabled, then any new files (files which are added to the machine after the sensor is installed), or any files on a USB drive may be allowed to run for the time being, unless the application is disallowed based on the rules defined in the Policy to which the Sensor belongs. Once a reputation is returned for the application executable, then the sensor will take action to allow or continue blocking the executable depending on the reputation retrieved and the Policy settings defined in the CB Defense Web console.
Does "Delay Execute for Cloud Scan" apply when Local Scan is inactive?
No. By design the setting will only apply if Local Scan is active on the device. Subsequently, disabling this setting without having Local Scan enabled may result in unexpected delayed execution of new/recently updated applications and OS components. To check whether Local Scan is active on a device, locate the device in question under Settings -> Sensor Management and check if it has Scan Engine version listed (i.e. AV signatures installed).
Example of a device which has Local Scan enabled:
Example of a device which doesn't have Local Scan enabled: