The following table describes whether certain features are available on Carbon Black EDR sensors.

Feature

Windows

Linux

macOS

Binaries (Collection)

Yes

Yes

Yes

Binary Info (Collection)

Yes

Yes

Yes

BinaryModule loads (Collection)

Yes

Yes

Yes

Carbon Black Live Response

Yes

Yes

Yes

Child Process events (Collection)

Yes

Yes

Yes

Compatibility Control

No

No

Yes

Cross Process events (Collection)

Yes

No

No

Retention Maximization

Yes

No

Yes

Diagnostics collection with SensorDiags

Yes

Yes

Yes

Disable sensor operation events

Yes

No

No

EMET events (Collection)

Yes

N/A

N/A

File modifications (Collection)

Yes

Yes

Yes-1

Global VDI Support

Yes

Yes

Yes

Hash Banning

Yes

Yes-2

Yes

Hash Banning Allow List (restrictions)

Yes

No

No

Improved proxy support: WPAD & PAC files

Yes

No

No

Known DLLs (Dylib/Mac) Filtering

Yes

No

Yes

Network Connections (Collection)

Yes

Yes

Yes

Network Connections for IPv6 (Collection)

Yes

Yes

Yes

Network Isolation

Yes

Yes-2

Yes

Non-Binary File Writes (Collection)

Yes

Yes

Yes

ODX Support

Yes

N/A

N/A

Process Information (Collection)

Yes

Yes

Yes

Process user context (Collection)

Yes

Yes

Yes

Proxy Support (unofficial support)

Yes

Yes

Yes

Registry modifications (Collection)

Yes

N/A

N/A

Server TLS certificate swapping

Yes-3

No

Yes-3

SHA256 hashes in events (Collection)

Yes-4

No

Yes-4

Support for FIPS

Yes

No

No

Tamper Detection

Yes

No

No

Tamper Protection

Yes

No

No

TLS JA3 and JA3S Fingerprinting

Yes

No

No

Note:

1 - The macOS sensor reports a file write event at the time a process opens the file. This event is based on the requested access mask. It is not based on actual writes. Even if the process does not write anything in the file, a file write event occurs.

2 - Currently available eBPF-based sensors (for RHEL/CentOS 8.0 and SUSE 12&15) do not support isolation or banning.

3 - TLS cert swapping support is for sensor versions Windows 6.2.3-win and macOS 6.2.5-osx and above.

4 - SHA-256 sensor support begins with 6.2.x sensors for both Windows and macOS. Check with Broadcom Carbon Black Support for any updates about other sensors that can generate this hash type.

SHA-256 hashes are reported in addition to MD5 hashes. They can be used to report information to the Event Forwarder (v3.4.0 or later) and are also displayed on relevant pages in the console. See https://github.com/carbonblack/cb-event-forwarder for information on installing and configuring the Event Forwarder. See Event Forwarder.