The Advanced section of the Create Group or Edit Group panel includes the following settings.



Sensor-side Max Disk Usage

This setting contains two options to limit sensor disk consumption on clients either by raw available space (in megabytes) or percentage of the total space available. The sensors will limit the amount of space they use on clients based on the smaller of these two values:

  • In the MB field, enter the maximum available space on the client (between 2 and 10240 megabytes).

  • In the % field, enter the maximum percentage (between 2% and 25%) of total disk space on the client.

Filter known modloads (Windows and macOS only)

When selected, Carbon Black EDR will not report the module load events of known good Windows and macOS modules that reside on the operating system. This helps reduce the number of known good events that are reported to the server.

Process Banning

When selected, this setting enables process hash bans in this group. By default, this setting is disabled and process hash bans prevent banned processes from running.

For more information, see Banning Process Hashes.

Tamper Protection Level (Windows only)

This setting determines the tamper detection or protection level for the sensor on the endpoint.

When set to None, no tamper detection or protection exists. This is the default setting.

When set to Detection, the sensor identifies attempts to modify the sensor configuration or memory and alerts on these attempts. This setting is only applicable for Windows sensors version 5.0.0 and higher. With the 7.2.0 Windows sensor release, Tamper Detection protects against process injection attempts.

When set to Protection, the sensor blocks local admin attempts to inject, remove, modify, or delete the sensor by protecting the sensor service, drivers, files, folders, registry settings and other sensor components. This setting is only applicable for Windows sensors version 7.2.0 and higher.

To change this setting you must be one of the following: a Global Administrator (Carbon Black EDR), an Administrator (Carbon Black Hosted EDR), or a user who is an Analyst for this sensor group and who also has permission for Tamper Level.

For more information about Tamper Protection, see Tamper Protection of Windows Sensors.

Tamper Override Password

This field contains a password to temporarily disable tamper protection on the sensor from the CLI, in case the sensor cannot reach the server.

VDI Behavior Enabled

When selected, this setting enables Virtual Desktop Infrastructure (VDI) for sensors on virtual machines. Use VDI when endpoints that are virtual machines are re-imaged. Sensor IDs are maintained across re-imaging by hostname, MAC, or other determining characteristics.


VDI support must be globally enabled to use this feature. See the VMware Carbon Black EDR Integration Guide.

Retention Maximization

These settings change how sensor process data that contains only modload processes or only modload and cross processes is recorded on the server.

Minimum Retention makes this data more easily searchable but leaves a bigger footprint and can lead to a reduction in data retention time.

Recommended and Maximum Retention consolidate data under parent processes, reducing the data footprint and helping increase the retention time. Data consolidated in this way is still searchable, as child processes.

  • Minimum Retention – All process activity is recorded and available for search.

  • Recommended Retention – The processes that contain only modload events are available under the parent processes and are searchable as child processes. You can search metadata, such as command line and user context, under the parent process.

  • Maximum Retention – The processes that contain only modload and cross processes are available under the parent processes and are searchable as child processes. You can search metadata, such as command line and user context, under the parent process.


Recommended and Maximum Retention can result in false positives in the results of cmdline searches. See Retention Maximization and cmdline Searches.

Note: This setting was called Data Suppression Level in pre-6.5 versions of Carbon Black EDR.

Alerts Critical Severity Level

Select a value from the menu to alter the critical level for alerts on a per-sensor-group basis. This directly effects the severity rating for alerts generated by this sensor group.

On the Triage Alerts page, the severity score of an alert (located in the Severity column of the Results table) is determined by three components:

  • Feed rating

  • Threat intelligence report score

  • Sensor criticality. For example, server sensors can have a higher criticality than engineering workstations. If two sensor groups have different alert criticalities, and they receive alerts from the same feed and for the same report, the sensor group that has the higher alert criticality will have a higher severity score on the Triage Alerts page, and servers in that group will appear at the top of the queue.

For more information about alerts, see Console and Email Alerts.

For more information about threat intelligence feed scores, see Threat Intelligence Feeds.