<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

How to Deploy: Carbon Black (CB) Defense Sensor

carbon black defense sensorCarbon Black (CB) Defense is a distributed process monitoring tool for threat detection across enterprise networks. The Carbon Black sensor executes data capturing activities to discover suspicious activities that occur within a network. Once deployed, the CB Defense sensor stays on and always collects data that can be categorized and analyzed for suspicious activities.

To deploy the Carbon Black Defense Sensor, the following information applies:

 

Supporting Operating Systems

The operating systems supported by the CB Defense sensor include all functional Windows operating systems and the MacOS.

 

Internet Connection

A functioning internet connection is needed for the deployment. This is because the sensor must be registered with the CB Defense servers to achieve a successful installation. The sensors can connect to the Defense servers through:

  • A static configured proxy
  • A direct connection over TCP/443
  • Auto-detection of a proxy
  • Admin Permissions

CB Defense sensors requires permission for new installations which are done manually.

Other permissions include a bypass to functional firewalls which allows outgoing connections to the CB Defense domain over TCP/443.

A bypass in the firewall which allows outgoing connections to the CB Defense alternate port.

 

Activation Code

An activation code is needed during the installation process. The application code can be found in the enrollment page and it expires after 7 days.

 

Configuration Management Tools

In different situations, you may need an endpoint management tools to assist with installing the Defense sensors. These tools can be Casper for Mac or SCCM for Windows

 

Steps to Deploying Carbon Black Defense Sensors

Steps to Performing an Unattended Installation of CB Defense Sensors:

The steps outlined here focus on an unattended installation of the Windows Sensor.

The items to have before beginning the deployment include:

  • A downloaded sensor installation kit – Attention should be paid to the version that corresponds to the Windows operating system that will host the sensor.
  • The company’s registration code

Step 1

Start the processes by opening an elevated and running the ‘/q’ command outlined below:

msiexec.exe /q /i CbDefense-setup.msi /L*vx log.txt <CbDefense_msi_command_options>

The first command code shown below should be used if a specific policy group has already been created in the console.

msiexec /q /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1

The second command code shown below should be used if a specific policy group has not been created. The code will install the sensor and assign it to a policy group that has been previously created which installs the sensor in a by-passed state.

msiexec /q /i "C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi" /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1 BYPASS=1

Step 2

This launches the installer and the 6 digit company code will be requested to continue the installation process.

Step 3

If the code is correct, then the installation process will continue until its completion. You can then follow the prompts to complete the task.

 

How to Install CB Defense Sensors Using SCCM

The System Center 2012 Configuration Manager (SCCM) is used to deploy Defense sensors across all versions of the Windows operating system. To start the process, the following installation suites or tools will be needed:

  • CB Defense sensor – any version will work
  • Microsoft Windows
  • SSCM

Step 1

  • The first step is adding the CB Defense Sensor Application through the SCCM configuration manager. Open SCCM Configuration Manager.
  • In the Software Library select Overview > Application Management > Applications
  • Right Click on Applications and Select "Create Application"

Step 2

  • On the General Page select "Automatically detect information about this application from installation files:
  • Type: Windows Installer (*.msi file)
  • Location: Accessible share that contains the Sensor msi file
  • Then Select "Next"

Step 3

  • On the Import Information Page there should be a message that says "Application information successfully imported from the Windows Installer"
  • Select "Next"

Step 4

On the General Information Page add the required COMPANY_CODE install parameter and the /L*vx C:\pathname\msi.log parameter to ensure the verbose msi install log is created in your specified location. Any other optional command options specified in CB Defense: How to Perform an Unattended Installation of the Windows Sensor can also be added at this point Select "Next"

Step 5

  • On the Summary Page select "Next"

Step 6

  • On the Completion Page Select "Close"

Step 7

  • Right Click on the "Cb Defense Sensor Application" you just added and select "Properties"

Step 8

  • Select the "Deployment Type" tab
  • Select the "Deployment Type" you have configured for Cb Defense select "Edit"

Step 9

  • Select the "Programs Tab" to change the uninstall command from msiexec /x "installer_vista_win7_win8-xx-x.x.x.xxxx.msi" to %ProgramFiles\Confer\uninstall.exe /uninstall <Company Deregistration Code> if the "Require code to uninstall sensor" is enabled on the Policy and you want the option of being able to uninstall the sensor using SCCM

Step 10

  • Select the "Detection Method" tab
  • Select the "Detection rule" configured
  • Select "Edit Clause"

Step 11

  • Change the "Setting Type" to "File System"

Step 12

  • Set Path to %ProgramFiles%\Confer, File or Folder name to RepUx.exe
  • Select "The file system setting must satisfy the following rule to indicate the presence of this application"
  • Configure MSI Property "Version", Operator "Greater than or equal to", and Version should be the currently install Cb Defense sensor version.

Step 13

  • Select "OK" to save changes to the Detection Rule
  • Select "OK" to save changes to the Detection Method
  • Select "OK" to save changes to the Deployment Type

 

Deploy Cb Defense Sensor Application

Step 1

  • Right click on the "Cb Defense Sensor Application" and select "Deploy"

Step 2

  • On the General Page select "Browse" for the Collection field.

Step 3

  • From the drop down choose "Device Collections" and choose a collection of devices to deploy to.

Step 4

  • Select "Next"
  • User-added image
  • On the Content Page select "Add" to add a Distribution point then select "Next"

Step 5

  • On the Deployment Settings page select Action "Install", Purpose "Required", and "Next"

Step 6

  • On the Scheduling Page choose deployment schedule and select "Next"

Step 7

  • On the User Experience Page choose preferences and select "Next"

Step 8

  • On the Alerts Page choose preferences and select "Next"

Step 9

  • Review the Summary Page to confirm settings are correct and select "Next"
  • On the Completion Page select "Close"

How to Perform an Unattended Installation of the Mac Sensor

To deploy the Defense senor on Mac operating systems, the following items will be needed:

  • The CB Defense sensor suite
  • All versions of the Mac operating system.

Step 1

  • The CB Defense sensor for macOS comes in a DMG file format. Start the process by extracting the installation package and the installation script.

Step 2

  • Mount the disk image in a virtual location using the hdiutil command. The location should be one you remember and the command for mounting the disk can be found below:

Step 3

  • Create a copy of the files ‘CbDefenseinstall.pkg’ and ‘cbdefense_install_unattended.sh’ located within the mounted disk image. Paste the copied files at the installation target on the Mac device been used.

Step 4

  • Run the installation command remotely and replace the ‘COMPANY_CODE’ string with the provided company code that came with the CB Defense sensor. Follow the prompts to complete the process.

Note: The two files copied in step 3 are required by the target machine for installing the Confer Sensor Software. This is why they must be correctly copied without missing a single letter.

Topics from this Article

Carbon Black, Application Security, Threat Hunting

Datashield
Datashield
Official Datashield account for blog content, news, announcements and more. The articles authored include a collaboration between internal staff, specifically the security operations and marketing team.

Related Posts

Detecting and Preventing UNC1878

Recently, The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert that warned that the healthcare industry was being targeted by hackers.

What is Microsoft Azure Virtual Network?

Azure Virtual Network (VNet) is a platform enabling you to create and maintain private networks in the context of Azure cloud and services. VNet works in a similar fashion a network in a data center works while introducing added advantages such as scale, availability, and isolation. 

What is Microsoft Azure Traffic Manager?

Azure Traffic Manager is a DNS-based load balancer to manage user traffic distribution of service endpoints in different data centers. This tool can service any of the Azure global regions and secure an optimal level of availability and responsiveness for your services.