Live Response opens a command line interface for direct access to any connected host that is running the Carbon Black EDR sensor.

Responders can perform remote live investigations, intervene in ongoing attacks, and instantly remediate endpoint threats. For example, Live Response allows a responder to view directory contents, kill processes, modify the registry, and get files from sensor-managed computers.

Live Response is disabled by default on newly installed Carbon Black EDR systems. Enable or Disable Live Response through the Console and Tune Live Response Network Usage describe ways to enable the feature and adjust data settings.

Important:

Live Response feature should be used in full compliance with your organization's policy on accessing other user's computers and files. Consider the capabilities described here before giving users access to the feature and choosing the sensor group in which you will place endpoints.

If you do not want console administrators for Carbon Black EDR installations to activate Live Response, make sure CbLREnabled=False is set in your cb.conf file and is not commented out. For more information about cb.conf, see the VMware Carbon Black EDR Server Configuration Guide.

There are two Live Response modes:

  • Attached Mode – When you activate Live Response for a specific endpoint, you create and attach to a session. The interface for a session includes information about the endpoint and a command window for interacting with the endpoint. See Live Response Endpoint Sessions.
  • Detached Mode – You can enter Live Response without being attached to a particular session through the Go Live command on the console menu. This interface includes commands to manage and access existing sessions as well as commands that are useful outside of a session. See Detached Session Management Mode.