Unified Binary Store

The Unified Binary Store (UBS) is a Carbon Black Cloud service responsible for storing all binaries and the corresponding metadata for these binaries. To gain UBS access for your organization, you must enable Carbon Black Cloud Enterprise EDR and opt-in to binary uploads on the Policies page.

Note:

Currently, only the Carbon Black Cloud sensor for Windows supports UBS. Thus, all binaries available in UBS are Windows PE files.
Carbon Black Cloud sensors for macOS and Linux do not support UBS binary upload and UBS metadata capture. For processes and binaries coming from these platforms, the Binary Details page displays all fields as Unknown.

As you enable Enterprise EDR, you can use the UBS APIs to download binaries observed on your endpoints and retrieve the corresponding metadata. Currently, the data retention for UBS is infinite. If your organization has already observed an execution of that binary on one or more endpoints, the organization can retrieve the associated metadata (and optionally, the binary itself if binary uploads are opted-in at the time of execution).

How UBS works

UBS obtains data on first execution of a binary for any asset on which the Carbon Black Cloud sensor is running, and Enterprise EDR has been subscribed. The obtained data is both - metadata about the binary and the binary itself (if uploads are enabled for the organization). This has two consequences:

If the binary did not execute successfully, no metadata or binary uploads to the Carbon Black Cloud. The UBS does not have any data related to the non-execution of that binary.
If any metadata about the binary changes after initial execution (e.g., file path, signature state), the UBS does not receive that updated binary metadata.

For binaries less than 25 MB, the sensor uploads the entire file. For binaries over 25 MB, the sensor uploads the first 25 MB of the binary file. Once a binary has been discovered, it is expected to take approximately 1 minute to upload to the UBS. Network speed and/or sensor activity can affect binary upload time.

Enterprise EDR solution	Upload all new binaries… option	Result
Not enabled	N/A	The Upload all new binaries… option is not available in the Policies page of the Carbon Black Cloud console.
Enabled	Off	Carbon Black Cloud does not upload the binary (Download button does not exist on the Binary Details page), but the Carbon Black sensor gathers information on hash, reputation, signature, etc., which displays on the Binary Details page. Toggling the "upload binaries" policy off does not impact the UBS metadata - the information populating the Binary Details page is available, but can certainly affect whether new binaries get uploaded to the UBS.
Enabled	On	Carbon Black Cloud uploads binaries, which display on the Binary Details page. Note: The sensor uploads only binaries for which the UBS does not have a complete copy. If you had the “upload binary” switched to off, when you toggle it on, there is a delay of a few minutes while active assets start sending the necessary information. Information unique to inactive assets cannot be displayed until these assets become active again.

Enterprise EDR solution

Upload all new binaries… option

Result

Not enabled

N/A

The Upload all new binaries… option is not available in the Policies page of the Carbon Black Cloud console.

Enabled

Off

Carbon Black Cloud does not upload the binary (Download button does not exist on the Binary Details page), but the Carbon Black sensor gathers information on hash, reputation, signature, etc., which displays on the Binary Details page.

Toggling the "upload binaries" policy off does not impact the UBS metadata - the information populating the Binary Details page is available, but can certainly affect whether new binaries get uploaded to the UBS.

Enabled

Carbon Black Cloud uploads binaries, which display on the Binary Details page.

Note: The sensor uploads only binaries for which the UBS does not have a complete copy.

If you had the “upload binary” switched to off, when you toggle it on, there is a delay of a few minutes while active assets start sending the necessary information. Information unique to inactive assets cannot be displayed until these assets become active again.

The Carbon Black Cloud sensor cannot gather information for processes in the following cases:

When the process has started prior the sensor. Thus, information is not available for early-starting Windows processes.
When the sensor is in Bypass mode.
When the sensor processes must restart, even though the OS has not restarted.

Add Files to the Unified Binary Storage

You can enable uploads of all new binaries, based on their SHA-256 value and not previously seen in your organization, to Carbon Black Cloud for your later analysis and download. This option is global and cannot be configured at a policy level.

Procedure

From the left navigation pane, click the Enforce > Policies page.
At the top of the page, toggle the switch Upload all new binaries to CB for later analysis and download to ON.
To confirm, select OK in the Enable Upload of Binaries pop-up window.
To view binary metadata, go to a process of interest via an Alert or the Investigate page.
Metadata that is associated with the process displays to the right of the Process Tree.
To go to the associated Binary Details page, click the Binary Details link.