An integral part of implementing VDI support is the installation and configuration of Carbon Black EDR sensors. Each sensor collects data on running processes and binaries.

VDI support can be implemented using one of two approaches:

  • Global VDI support

  • Sensor group VDI support

When installing a Carbon Black EDR sensor on a master image, we recommend that you use Global VDI Support. While not required for sensor-group-based VDI support, the combination of the two solutions provides additional assurance that the master image does not cause any sensor conflicts.

A sensor collects data upon installation and its collection process can be optimized by clearing out two types of Carbon Black EDR directories: those storing binary or event log data. Clearing out these directories before the sensor becomes operational ensures that the sensor does not propagate a backlog of data from processes that ran while installing Carbon Black EDR to any or all of the images. Such a propagation can have adverse effects while deploying the image.

After stopping Carbon Black EDR sensor services on the client, clear the directories and files for the following types of data:

  • Windows binary data

    • Directory: %WINDIR%\CarbonBlack\store

    • Sub-directories: MD5_*

  • Windows event data

    • Directory: %WINDIR%\CarbonBlack\EventLogs

    • Files: eventlog_*.log.zip and active-event.log

  • OSX binary data

    • Directory:/var/lib/cb/store

    • Files: MD5_*

  • OSX event data

    • Directory: /var/lib/cb

    • Files: event.log*

After the directories are cleared, you can configure either global or sensor group VDI support.