Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (formerly CB Defense)
- Carbon Black Cloud Sensor: 2.0.1.x and Higher
- Microsoft Windows: All Supported Versions
Objective
Provide steps to enable and disable automatic updates and setting the frequency and randomization of updates for the Signature Files for the Local Scanner
Resolution
- Log into CB Cloud Console
- Go to Enforce > Policies
- Click on desired Policy name
- Click on Local Scan tab
- Under Scanner Config section set On Access File Scan Mode to Enabled or Aggressive
- Under Signature Updates section set Allow Signature Updates (Enabled/Disabled) to turn automatic updates on or off
- Set Frequency (2, 4, 8, 12, 24 hours) to desired amount of time between checks for and downloads of new files
- Set Staggered Update Randomization Window (1, 2, 3, 4, 5, 6, 7, 8 hours) to desired time to avoid all Sensors attempting to download at same time per Policy
- Click Save button to save changes
Additional Notes
- Best Practice is to set Frequency and Staggered Update Randomization Window to 2 hours and 1 hour, respectively, in order to stay as updated as possible
- The steps above only impact one Policy at a time and should be repeated for all desired Policies
- Disabling Signature Updates (Allow Signature Updates > Disabled) will stop Sensors in the designated Policy from pulling down updated signature files, and they will begin to show as out-of-date (red triangle) in the Sig column on the Endpoints page one week after disabling unless or until these updates are re-enabled
- The Frequency and Staggered Update Randomization Window (sometimes called Jitter Window) settings should be considered together, as setting Frequency to 4 hours and Randomization to 4 hours would mean Sensors not getting updated Signature Files should not be of concern until at least 8 hours have elapsed from the previous update check/install
- If network bandwidth consumption is a concern, consider setting up a Local Mirror Server
- An initial, offline Signature Pack is available for download from Endpoints > Sensor Settings > Download sensor kits > AV Signature Pack, this is intended for initial deployment to get the first set of signatures installed with a Sensor and should not be considered a means to keep signatures updated as these packs are updated infrequently
- Automatic Updates should be the primary means of keeping signature files updated
Related Content