Use these policy settings to define sensor behavior.

Setting

Description

Display sensor message in system tray

Select this option to display a message in the endpoint's system tray when a notification is generated. Type the message into the message text box.

If this setting is disabled, the sensor icon and message do not display in the system tray on the endpoint.

Allow user to disable protection

If selected, the Carbon Black Cloud sensor is displayed with a Protection on/off toggle, which lets the user place the sensor in bypass mode. This option is grayed out unless you enable Display sensor message in system tray. The Protection toggle only displays on single-user operating systems. The Protection toggle does not display on terminal servers.

Run background scan

If selected, the sensor performs an initial, one-time inventory scan in the background to identify malware files that were pre-existing on the endpoint. Using this feature helps increase malware blocking efficacy for files that were pre-existing on the endpoint before the sensor installation.  

The sensors invoke the background scan one time upon deployment. The current background scan state is logged to the NT Event Log or syslog together with the "BACKGROUND_SCAN" tag.

  • The standard background scan takes 3-5 days to complete (depending on number of files on the endpoint). It runs in low-priority mode to consume low system resources. This is the recommended scan.
  • The expedited scan option takes 24 hours to complete, and is only recommended for testing and emergency incidents. System performance is affected. Expedited scanning only applies to Windows sensors version 3.3+ and Linux sensors.

See Background Scans.

Require code to uninstall sensor

Select this option to protect the action of uninstalling a sensor from an endpoint. If this setting is enabled, no user can uninstall a sensor that belongs to this policy without providing a deregistration code. This setting applies to Windows version 3.1+ and macOS sensors only.

Enable host-based firewall Select this option to enable the Carbon Black Cloud Host-based Firewall feature.
Enable auth event collection

Select this option to enable the collection of the following Windows authentication events, which are identified by their Windows Event ID and respective description:

  • 4624 - An account was successfully logged on
  • 4625 - An account failed to log on
  • 4634 - The account was logged off
  • 4647 - User initiated logoff
  • 4672 - Special privileges assigned to new logon (administrator equivalent)
  • 4740 - A user account was locked out
  • [Null] - Active logon session detected, but the Windows Event ID is unknown

See Investigate - Auth Events.

Enable XDR network data collection This option is enabled by default for Windows sensors only for customers who have Carbon Black XDR.

You can deselect the check box to disable XDR network data collection for the sensors to which the policy is assigned. Disabling data collection does not disable Carbon Black XDR; it simply stops the sensor from collecting XDR network data and thus reduces noise.

Enable Live Response

Select this option to enable Live Response for this policy.

Collect common library load events

Select this option to enable the collection of module load (modload) events that are generated when a common, trusted Windows dynamic-link library (DLL) is loaded by a process.

This setting is disabled by default to suppress the collection of expected, high-volume modload events that are associated with DLLs that are provided and signed by Microsoft Windows.

Use Windows Security Center

Select this option to set Carbon Black Cloud as the endpoint antivirus protection software in conjunction with Windows Security Center. This setting applies to Windows version 2.10+ sensors only.

See Windows Security Center Integration.

Auto-delete known malware after...

This option enables Carbon Black Cloud to automatically delete known malware after a specified period of time. This setting applies to macOS sensor version 3.2.2+ or Windows sensor version 3.2.1+.

Enable private logging level

Script files that have unknown reputations are uploaded unless this option is selected. This option also removes potentially sensitive details from the events that are uploaded. This includes:

  • Redacting command-line arguments
  • Obfuscating document file names
  • Not resolving IP addresses to correlating domain names
Important: Redacted data only applies to Carbon Black Cloud Endpoint Standard data. If you have both Carbon Black Cloud Endpoint Standard and Carbon Black Cloud Enterprise EDR enabled, Carbon Black Cloud Enterprise EDR data is not redacted.

Delay execute for cloud scan

If the local scan returns an indefinite result, this option specifies whether Carbon Black Cloud delays the invocation of an executable until reputation information can be retrieved from the backend. This is a recommended setting. This setting applies to Windows version 2.0+ sensors only.

Pause binary execution This option allows sensor to analyze and block malware or banned binaries before they run. This option increases security at the cost of performance. This toggle is supported by Linux only.

Scan files on network drives

If selected, the sensor scans files on network drives upon READ. The default value for this setting is false. For best performance, deselect this setting. This option is only supported by Windows and macOS sensors.

Scan execute on network drives

If selected, the sensor will scan files on network drives upon EXECUTE. This setting applies to Windows version 2.0+ and macOS sensors only.

Hash MD5

Select this option to maintain MD5 hashes in logs. This option has no effect on the security efficacy of Carbon Black Cloud. Deselecting this option prevents Carbon Black Cloud from logging MD5 hashes. For best performance, do not select this option. This setting applies to Windows version 2.0+ and macOS sensors only.

Submit unknown binaries for analysis

Select this option to enable the upload of unknown binaries for Cloud Analysis by Carbon Black and Symantec CYNIC. Submitting unknown binaries improves prevention efficacy by allowing for additional threat analysis and reputation context. This setting applies to Windows version 3.2+ sensors only.

Additional options:
  • APC Max file size: Default value = 4 MB
  • APC Max Exe delay: Default value = 45 seconds
  • APC risk level: Default value = 4
Note: You can modify the APC options using the Policy API.

For more information about Symantec CYNIC, see Cloud Analysis.

Upload new binaries and their metadata to Carbon Black for later analysis and download If selected, executed binary files and their metadata will be uploaded to Carbon Black Cloud. Each stored binary file's metadata can be viewed on the Binary Details page, where the binary can also be downloaded for further analysis or added to the banned list. This setting is available to Carbon Black Cloud Enterprise EDR and Carbon Black XDR customers, and applies to Windows sensors 3.4+.

Auto-deregister VDI clone sensors that have been inactive for...

Applies to both full and instant VDI Clones. We recommend only enabling this setting for policies assigned to instant clones. If enabled, this policy setting overrides any selections made to Sensor Settings on the Endpoints page. This setting applies to Windows sensor versions 3.5+ and Linux sensor versions 2.12+.

Auto-deregister VM workload sensors that have been inactive for...

Allows you to de-register VM Workloads that are inactive for a certain time at both organization level and policy level.

Carbon Black Cloud does not distinguish between VM Workloads that are shut down or have been deleted. You must distinguish between ephemeral and non-ephemeral VMs, and make your choice at the organization or policy level accordingly.

If enabled, this policy setting overrides any selections made to Sensor Settings (organization level) on the VM Workloads page. If you do not select any sensor settings or policy settings for the inactive interval, the default inactive period is 3 days. This setting applies to Windows sensor versions 3.5+ and Linux sensor versions 2.12+.

Event Reporting & Sensor Operation Exclusions Event Reporting and Sensor Operation Exclusions enable Carbon Black Cloud Endpoint Standard and Carbon Black Cloud Enterprise EDR customers to exclude event reporting and sensor operations to resolve operational issues, such as network performance issues, endpoint performance issues, or interoperability issues with third-party software.

For more information, see Event Reporting and Sensor Operation Exclusions.