This page is an aggregate of all OER topics onto a single page for more convenient HTML viewing.
Supported Operating Systems for the Carbon Black Cloud Sensor
For a complete list of supported operating systems, see the following sensor OERs:
Supported Browsers for the Carbon Black Cloud Console
- Windows: Firefox, Chrome, and Edge
- macOS: Safari, Firefox, and Chrome
Ports and URLs
Specific ports must be opened on the Firewall or Proxy servers to allow the sensor to communicate with the various Carbon Black Cloud services.
For a complete list of ports and URLs that must be opened on the firewall and proxy servers, see CB Defense: What Ports must be opened on the Firewall and Proxy Servers?
macOS User Space Functionality
Beginning in macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) operates by default in user-space via System Extensions (user-space) instead of Kernel Extensions (KEXTs) that are used in prior versions of the agent. Therefore, there are some functional differences when using the sensor in System Extension mode on macOS 11 and later.
Using the sensor in KEXT mode achieves the same functionality on macOS 11 as it does on older operating systems.
Unless otherwise specified, documentation related to macOS functionality on the Carbon Black Cloud pertains to macOS 10.15 and earlier or to functionality delivered via the KEXT on macOS 11.
The following matrix outlines macOS functionality on the Carbon Black Cloud. The functionality detailed in the macOS 11+ column pertains to the sensor’s functionality in user space (System Extension) in the initial macOS 11-compatible sensor release (v3.5.1+). For functionality provided via the kernel extension, refer to the macOS 10.12 - 11+ column.
| Functionality | macOS10.12 - 11 (KEXT) | macOS 11+(user-space) |
|---|---|---|
| Behavioral EDR (analytics detection) | X | X |
| Behavior-based prevention (non-reputation policy rules) | X | In Progress |
| Targeted Prevention (Terminate Process) | X | X |
| Targeted Prevention (Deny Process) | X | In Progress |
| Reputation-based prevention (CB Analytics) | X | X |
| Banned-list based prevention (Deny List) | X | X |
| Approved-list allowances (hash, cert, IT tool) | All | Hash only |
| Automatic Malware Removal | X | X |
| Script Detection | X | X |
| On-demand File Collection | X | X |
| On-demand File Deletion | X | X |
| On-demand - Endpoint Network Isolation (Quarantine) | X | X |
| Interactive Remote Shell Capability for Remediation (Live Response) | X | X |
| Behavior-based Ransomware Detection/Prevention (non-reputation) | X | In Process |
| Keylogger (CGEventTap) Detection | X | In Process |
| XProtect Block Event Collection | X |
Linux 4.4+ Kernels for Linux Sensor 2.10+
Prior to installing the sensor, the underlying BPF implementation requires the Linux kernel headers for the active kernel to be installed.
See Linux Kernel Requirements for Linux Sensor Versions 2.10+ .
Local Scanning Feature for Windows
The Windows sensor includes an optional local scanning feature that enables static file analysis of applications before they are executed.
This feature requires an additional 600MB of disk storage to store signature information and allow for signature updates.
Scanner Definition Host and Ports
| Requirement | Details | Notes |
|---|---|---|
| Carbon Black Definition Server http://updates.cdc.carbonblack.io/update Uses HTTP Port 80 |
This connection is used to update local scanner definition files. This is only required if local scanning is enabled for the sensor. | This can be configured to update from a locally hosted server. If you mirror the definition server to an internal server, you can use port 80 or other HTTP port. |
Local Scan Settings are not supported by macOS or Linux sensors.
For large enterprises, we recommend the following best practices:
- Perform an initial installation of AV Signature Pack together with the sensor.
- Roll out the initial AV Signature Pack download in small batches to avoid network saturation.
- Mirror signature updates on a local server.
See the Signiature Mirror Instructions in the Sensor Installation Guide.
Sensor Hardware Requirements
Endpoints must be in compliance with all hardware requirements for the host operating system.
Consider all processes that run on the endpoints when determining your hardware configuration. We recommend a multi-core CPU for all installations.
The following metrics represent system requirements against a minimum environment, which is defined in the context as a user level system (such as an inactive laptop).
Windows Sensor Hardware Requirements
| Metric | Endpoint Standard | Endpoint Standard + Audit & Remediation | Endpoint Standard + Enterprise EDR | Endpoint Standard + Enterprise EDR + Audit & Remediation |
|---|---|---|---|---|
| CPU | Minimum: 1.5 GHz Recommended: 2 GHz |
Minimum: 1.8 GHz Recommended: 2 GHz |
Minimum: 1.8 GHz Recommended: 2 GHz |
Minimum: 1.8 GHz Recommended: 2 GHz |
| Memory | 1 GB 2 GB for Windows 10/2016+ |
1 GB 2 GB for Windows 10/2016+ |
1 GB 2 GB for Windows 10/2016+ |
1 GB 2 GB for Windows 10/2016+ |
| Cores | 2 | 2 | 2 | 2 |
| Network required | Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
| Minimum network during light usage | 1k bytes/sec read/writes each | 1k bytes/sec read/writes each | 1k bytes/sec read/writes each | 1k bytes/sec read/writes each |
| *Free disk space | Minimum: 200 MB Recommended: 1 GB |
Minimum: 200 MB Recommended: 1 GB |
Minimum: 200 MB Recommended: 1 GB |
Minimum: 200 MB Recommended: 1 GB |
macOS Sensor Hardware Requirements
| Metric | Endpoint Standard | Endpoint Standard + Audit & Remediation | Endpoint Standard + Enterprise EDR | Endpoint Standard + Enterprise EDR + Audit & Remediation |
|---|---|---|---|---|
| CPU | Any supported x86-64 or arm64* | Any supported x86-64 or arm64* | Any supported x86-64 or arm64* | Any supported x86-64 or arm64* |
| Memory | 2 GB | 2 GB | 2 GB | 2 GB |
| Cores | 2 | 2 | 2 | 2 |
| Network required | Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
| Minimum network during light usage | 1k bytes/sec read/writes each
|
1k bytes/sec read/writes each
|
1k bytes/sec read/writes each | 1k bytes/sec read/writes each |
| Free disk space | Minimum: 100 MB Recommended: 500 MB |
Minimum: 100 MB Recommended: 500 MB |
Minimum: 200 MB Recommended: 1 GB |
Minimum: 200 MB Recommended: 1 GB |
*arm64 CPU requires macOS sensor 3.6 or higher.
Linux Sensor Hardware Requirements
| Metric | Endpoint Standard | Endpoint Standard + Enterprise EDR | Endpoint Standard + Enterprise EDR + Audit & Remediation |
| CPU | Any 64-bit x86-64 chipset No speed required |
Any 64-bit x86-64 chipset No speed required |
Any 64-bit x86-64 chipset No speed required |
| Memory | 100 MB | 250 MB | 250 MB |
| Cores | 2 | 2 | 2 |
| Network Required | Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
Minimum: 100 Mbit Recommended: 1 Gbit |
| Minimum network during light usage | 1k bytes/sec read/writes each | 1k bytes/sec read/writes each | 1k bytes/sec read/writes each |
| Free disk space | /opt: 100 MB /var: 1600 MB |
/opt: 100 MB /var: 2600 MB |
/opt: 100 MB /var: 3200 MB |
