The Advanced section of the Create Group or Edit Group panel includes the following settings.
Setting |
Description |
|---|---|
Sensor-side Max Disk Usage |
This setting contains two options to limit sensor disk consumption on clients either by raw available space (in megabytes) or percentage of the total space available. The sensors will limit the amount of space they use on clients based on the smaller of these two values:
|
Filter known modloads (Windows and macOS only) |
When selected, Carbon Black EDR will not report the module load events of known good Windows and macOS modules that reside on the operating system. This helps reduce the number of known good events that are reported to the server. |
Process Banning |
When selected, this setting enables process hash bans in this group. By default, this setting is disabled and process hash bans prevent banned processes from running. For more information, see Banning Process Hashes. |
Tamper Protection Level (Windows only) |
This setting determines the tamper detection or protection level for the sensor on the endpoint. When set to None, no tamper detection or protection exists. This is the default setting. When set to Detection, the sensor identifies attempts to modify the sensor configuration or memory and alerts on these attempts. This setting is only applicable for Windows sensors version 5.0.0 and higher. With the 7.2.0 Windows sensor release, Tamper Detection protects against process injection attempts. When set to Protection, the sensor blocks local admin attempts to inject, remove, modify, or delete the sensor by protecting the sensor service, drivers, files, folders, registry settings and other sensor components. This setting is only applicable for Windows sensors version 7.2.0 and higher. To change this setting you must be one of the following: a Global Administrator (Carbon Black EDR), an Administrator (Carbon Black Hosted EDR), or a user who is an Analyst for this sensor group and who also has permission for Tamper Level. For more information about Tamper Protection, see Tamper Protection of Windows Sensors. |
Tamper Override Password |
This field contains a password to temporarily disable tamper protection on the sensor from the CLI, in case the sensor cannot reach the server. |
VDI Behavior Enabled |
When selected, this setting enables Virtual Desktop Infrastructure (VDI) for sensors on virtual machines. Use VDI when endpoints that are virtual machines are re-imaged. Sensor IDs are maintained across re-imaging by hostname, MAC, or other determining characteristics.
Note:
VDI support must be globally enabled to use this feature. See the Carbon Black EDR Integration Guide. |
Retention Maximization |
These settings change how sensor process data that contains only modload processes or only modload and cross processes is recorded on the server. Minimum Retention makes this data more easily searchable but leaves a bigger footprint and can lead to a reduction in data retention time. Recommended and Maximum Retention consolidate data under parent processes, reducing the data footprint and helping increase the retention time. Data consolidated in this way is still searchable, as child processes.
Note:
Recommended and Maximum Retention can result in false positives in the results of cmdline searches. See Retention Maximization and cmdline Searches.
Note: This setting was called
Data Suppression Level in pre-6.5 versions of
Carbon Black EDR.
|
Alerts Critical Severity Level |
Select a value from the menu to alter the critical level for alerts on a per-sensor-group basis. This directly effects the severity rating for alerts generated by this sensor group. On the Triage Alerts page, the severity score of an alert (located in the Severity column of the Results table) is determined by three components:
For more information about alerts, see Console and Email Alerts. For more information about threat intelligence feed scores, see Threat Intelligence Feeds. |
