Carbon Black (CB) Defense is a distributed process monitoring tool for threat detection across enterprise networks. The Carbon Black sensor executes data capturing activities to discover suspicious activities that occur within a network. Once deployed, the CB Defense sensor stays on and always collects data that can be categorized and analyzed for suspicious activities.
To deploy the Carbon Black Defense Sensor, the following information applies:
Supporting Operating Systems
The operating systems supported by the CB Defense sensor include all functional Windows operating systems and the MacOS.
A functioning internet connection is needed for the deployment. This is because the sensor must be registered with the CB Defense servers to achieve a successful installation. The sensors can connect to the Defense servers through:
- A static configured proxy
- A direct connection over TCP/443
- Auto-detection of a proxy
- Admin Permissions
CB Defense sensors requires permission for new installations which are done manually.
Other permissions include a bypass to functional firewalls which allows outgoing connections to the CB Defense domain over TCP/443.
A bypass in the firewall which allows outgoing connections to the CB Defense alternate port.
An activation code is needed during the installation process. The application code can be found in the enrollment page and it expires after 7 days.
Configuration Management Tools
In different situations, you may need an endpoint management tools to assist with installing the Defense sensors. These tools can be Casper for Mac or SCCM for Windows
Steps to Deploying Carbon Black Defense Sensors
Steps to Performing an Unattended Installation of CB Defense Sensors:
The steps outlined here focus on an unattended installation of the Windows Sensor.
The items to have before beginning the deployment include:
- A downloaded sensor installation kit – Attention should be paid to the version that corresponds to the Windows operating system that will host the sensor.
- The company’s registration code
Start the processes by opening an elevated and running the ‘/q’ command outlined below:
msiexec.exe /q /i CbDefense-setup.msi /L*vx log.txt <CbDefense_msi_command_options>
The first command code shown below should be used if a specific policy group has already been created in the console.
msiexec /q /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1
The second command code shown below should be used if a specific policy group has not been created. The code will install the sensor and assign it to a policy group that has been previously created which installs the sensor in a by-passed state.
msiexec /q /i "C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi" /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1 BYPASS=1
This launches the installer and the 6 digit company code will be requested to continue the installation process.
If the code is correct, then the installation process will continue until its completion. You can then follow the prompts to complete the task.
How to Install CB Defense Sensors Using SCCM
The System Center 2012 Configuration Manager (SCCM) is used to deploy Defense sensors across all versions of the Windows operating system. To start the process, the following installation suites or tools will be needed:
- CB Defense sensor – any version will work
- Microsoft Windows
- The first step is adding the CB Defense Sensor Application through the SCCM configuration manager. Open SCCM Configuration Manager.
- In the Software Library select Overview > Application Management > Applications
- Right Click on Applications and Select "Create Application"
- On the General Page select "Automatically detect information about this application from installation files:
- Type: Windows Installer (*.msi file)
- Location: Accessible share that contains the Sensor msi file
- Then Select "Next"
- On the Import Information Page there should be a message that says "Application information successfully imported from the Windows Installer"
- Select "Next"
On the General Information Page add the required COMPANY_CODE install parameter and the /L*vx C:\pathname\msi.log parameter to ensure the verbose msi install log is created in your specified location. Any other optional command options specified in CB Defense: How to Perform an Unattended Installation of the Windows Sensor can also be added at this point Select "Next"
- On the Summary Page select "Next"
- On the Completion Page Select "Close"
- Right Click on the "Cb Defense Sensor Application" you just added and select "Properties"
- Select the "Deployment Type" tab
- Select the "Deployment Type" you have configured for Cb Defense select "Edit"
- Select the "Programs Tab" to change the uninstall command from msiexec /x "installer_vista_win7_win8-xx-x.x.x.xxxx.msi" to %ProgramFiles\Confer\uninstall.exe /uninstall <Company Deregistration Code> if the "Require code to uninstall sensor" is enabled on the Policy and you want the option of being able to uninstall the sensor using SCCM
- Select the "Detection Method" tab
- Select the "Detection rule" configured
- Select "Edit Clause"
- Change the "Setting Type" to "File System"
- Set Path to %ProgramFiles%\Confer, File or Folder name to RepUx.exe
- Select "The file system setting must satisfy the following rule to indicate the presence of this application"
- Configure MSI Property "Version", Operator "Greater than or equal to", and Version should be the currently install Cb Defense sensor version.
- Select "OK" to save changes to the Detection Rule
- Select "OK" to save changes to the Detection Method
- Select "OK" to save changes to the Deployment Type
Deploy Cb Defense Sensor Application
- Right click on the "Cb Defense Sensor Application" and select "Deploy"
- On the General Page select "Browse" for the Collection field.
- From the drop down choose "Device Collections" and choose a collection of devices to deploy to.
- Select "Next"
- User-added image
- On the Content Page select "Add" to add a Distribution point then select "Next"
- On the Deployment Settings page select Action "Install", Purpose "Required", and "Next"
- On the Scheduling Page choose deployment schedule and select "Next"
- On the User Experience Page choose preferences and select "Next"
- On the Alerts Page choose preferences and select "Next"
- Review the Summary Page to confirm settings are correct and select "Next"
- On the Completion Page select "Close"
How to Perform an Unattended Installation of the Mac Sensor
To deploy the Defense senor on Mac operating systems, the following items will be needed:
- The CB Defense sensor suite
- All versions of the Mac operating system.
- The CB Defense sensor for macOS comes in a DMG file format. Start the process by extracting the installation package and the installation script.
- Mount the disk image in a virtual location using the hdiutil command. The location should be one you remember and the command for mounting the disk can be found below:
- Create a copy of the files ‘CbDefenseinstall.pkg’ and ‘cbdefense_install_unattended.sh’ located within the mounted disk image. Paste the copied files at the installation target on the Mac device been used.
- Run the installation command remotely and replace the ‘COMPANY_CODE’ string with the provided company code that came with the CB Defense sensor. Follow the prompts to complete the process.
Note: The two files copied in step 3 are required by the target machine for installing the Confer Sensor Software. This is why they must be correctly copied without missing a single letter.