Use these policy settings to define sensor behavior.
| Setting |
Description |
|---|---|
| Display sensor message in system tray |
Select this option to display a message in the endpoint's system tray when a notification is generated. Type the message into the message text box. If this setting is disabled, the sensor icon and message do not display in the system tray on the endpoint. |
| Allow user to disable protection |
If selected, the Carbon Black Cloud sensor is displayed with a Protection on/off toggle, which lets the user place the sensor in bypass mode. This option is grayed out unless you enable Display sensor message in system tray. The Protection toggle only displays on single-user operating systems. The Protection toggle does not display on terminal servers. |
| Run background scan |
If selected, the sensor performs an initial, one-time inventory scan in the background to identify malware files that were pre-existing on the endpoint. Using this feature helps increase malware blocking efficacy for files that were pre-existing on the endpoint before the sensor installation. The sensors invoke the background scan one time upon deployment. The current background scan state is logged to the NT Event Log or syslog together with the "BACKGROUND_SCAN" tag.
See Background Scans. |
| Require code to uninstall sensor |
Select this option to protect the action of uninstalling a sensor from an endpoint. If this setting is enabled, no user can uninstall a sensor that belongs to this policy without providing a deregistration code. This setting applies to Windows version 3.1+ and macOS sensors only. |
| Enable host-based firewall | Select this option to enable the Carbon Black Cloud Host-based Firewall feature. |
| Enable auth event collection | Select this option to enable the collection of the following Windows authentication events, which are identified by their Windows Event ID and respective description:
|
| Enable XDR network data collection | This option is enabled by default for Windows sensors only for customers who have Carbon Black XDR. You can deselect the check box to disable XDR network data collection for the sensors to which the policy is assigned. Disabling data collection does not disable Carbon Black XDR; it simply stops the sensor from collecting XDR network data and thus reduces noise. |
| Enable Live Response |
Select this option to enable Live Response for this policy. |
| Collect common library load events | Select this option to enable the collection of module load (modload) events that are generated when a common, trusted Windows dynamic-link library (DLL) is loaded by a process. This setting is disabled by default to suppress the collection of expected, high-volume modload events that are associated with DLLs that are provided and signed by Microsoft Windows. |
| Use Windows Security Center |
Select this option to set Carbon Black Cloud as the endpoint antivirus protection software in conjunction with Windows Security Center. This setting applies to Windows version 2.10+ sensors only. |
| Auto-delete known malware after... |
This option enables Carbon Black Cloud to automatically delete known malware after a specified period of time. This setting applies to macOS sensor version 3.2.2+ or Windows sensor version 3.2.1+. |
| Enable private logging level |
Script files that have unknown reputations are uploaded unless this option is selected. This option also removes potentially sensitive details from the events that are uploaded. This includes:
Important: Redacted data only applies to
Carbon Black Cloud Endpoint Standard data. If you have both
Carbon Black Cloud Endpoint Standard and
Carbon Black Cloud Enterprise EDR enabled,
Carbon Black Cloud Enterprise EDR data is not redacted.
|
| Delay execute for cloud scan |
If the local scan returns an indefinite result, this option specifies whether Carbon Black Cloud delays the invocation of an executable until reputation information can be retrieved from the backend. This is a recommended setting. This setting applies to Windows version 2.0+ sensors only. |
| Pause binary execution | This option allows sensor to analyze and block malware or banned binaries before they run. This option increases security at the cost of performance. This toggle is supported by Linux only. |
| Scan files on network drives |
If selected, the sensor scans files on network drives upon READ. The default value for this setting is false. For best performance, deselect this setting. This option is only supported by Windows and macOS sensors. |
| Scan execute on network drives |
If selected, the sensor will scan files on network drives upon EXECUTE. This setting applies to Windows version 2.0+ and macOS sensors only. |
| Hash MD5 |
Select this option to maintain MD5 hashes in logs. This option has no effect on the security efficacy of Carbon Black Cloud. Deselecting this option prevents Carbon Black Cloud from logging MD5 hashes. For best performance, do not select this option. This setting applies to Windows version 2.0+ and macOS sensors only. |
| Submit unknown binaries for analysis |
Select this option to enable the upload of unknown binaries for Cloud Analysis by Carbon Black and Symantec CYNIC. Submitting unknown binaries improves prevention efficacy by allowing for additional threat analysis and reputation context. This setting applies to Windows version 3.2+ sensors only.
Additional options:
Note: You can modify the APC options using the
Policy API.
For more information about Symantec CYNIC, see Cloud Analysis. |
| Upload new binaries and their metadata to Carbon Black for later analysis and download | If selected, executed binary files and their metadata will be uploaded to Carbon Black Cloud. Each stored binary file's metadata can be viewed on the Binary Details page, where the binary can also be downloaded for further analysis or added to the banned list. This setting is available to Carbon Black Cloud Enterprise EDR and Carbon Black XDR customers, and applies to Windows sensors 3.4+. |
| Auto-deregister VDI clone sensors that have been inactive for... |
Applies to both full and instant VDI Clones. We recommend only enabling this setting for policies assigned to instant clones. If enabled, this policy setting overrides any selections made to Sensor Settings on the Endpoints page. This setting applies to Windows sensor versions 3.5+ and Linux sensor versions 2.12+. |
| Auto-deregister VM workload sensors that have been inactive for... |
Allows you to de-register VM Workloads that are inactive for a certain time at both organization level and policy level. Carbon Black Cloud does not distinguish between VM Workloads that are shut down or have been deleted. You must distinguish between ephemeral and non-ephemeral VMs, and make your choice at the organization or policy level accordingly. If enabled, this policy setting overrides any selections made to Sensor Settings (organization level) on the VM Workloads page. If you do not select any sensor settings or policy settings for the inactive interval, the default inactive period is 3 days. This setting applies to Windows sensor versions 3.5+ and Linux sensor versions 2.12+. |
| Event Reporting & Sensor Operation Exclusions | Event Reporting and Sensor Operation Exclusions enable Carbon Black Cloud Endpoint Standard and Carbon Black Cloud Enterprise EDR customers to exclude event reporting and sensor operations to resolve operational issues, such as network performance issues, endpoint performance issues, or interoperability issues with third-party software. For more information, see Event Reporting and Sensor Operation Exclusions. |
