The following table describes whether certain features are available on Carbon Black EDR sensors.
Feature |
Windows |
Linux |
macOS |
|---|---|---|---|
Binaries (Collection) |
Yes |
Yes |
Yes |
Binary Info (Collection) |
Yes |
Yes |
Yes |
BinaryModule loads (Collection) |
Yes |
Yes |
Yes |
Carbon Black Live Response |
Yes |
Yes |
Yes |
Child Process events (Collection) |
Yes |
Yes |
Yes |
Compatibility Control |
No |
No |
Yes |
Cross Process events (Collection) |
Yes |
No |
No |
Retention Maximization |
Yes |
No |
Yes |
Diagnostics collection with SensorDiags |
Yes |
Yes |
Yes |
Disable sensor operation events |
Yes |
No |
No |
EMET events (Collection) |
Yes |
N/A |
N/A |
File modifications (Collection) |
Yes |
Yes |
Yes-1 |
Global VDI Support |
Yes |
Yes |
Yes |
Hash Banning |
Yes |
Yes-2 |
Yes |
Hash Banning Allow List (restrictions) |
Yes |
No |
No |
Improved proxy support: WPAD & PAC files |
Yes |
No |
No |
Known DLLs (Dylib/Mac) Filtering |
Yes |
No |
Yes |
Network Connections (Collection) |
Yes |
Yes |
Yes |
Network Connections for IPv6 (Collection) |
Yes |
Yes |
Yes |
Network Isolation |
Yes |
Yes-2 |
Yes |
Non-Binary File Writes (Collection) |
Yes |
Yes |
Yes |
ODX Support |
Yes |
N/A |
N/A |
Process Information (Collection) |
Yes |
Yes |
Yes |
Process user context (Collection) |
Yes |
Yes |
Yes |
Proxy Support (unofficial support) |
Yes |
Yes |
Yes |
Registry modifications (Collection) |
Yes |
N/A |
N/A |
Server TLS certificate swapping |
Yes-3 |
No |
Yes-3 |
SHA256 hashes in events (Collection) |
Yes-4 |
No |
Yes-4 |
Support for FIPS |
Yes |
No |
No |
Tamper Detection |
Yes |
No |
No |
Tamper Protection |
Yes |
No |
No |
TLS JA3 and JA3S Fingerprinting |
Yes |
No |
No |
1 - The macOS sensor reports a file write event at the time a process opens the file. This event is based on the requested access mask. It is not based on actual writes. Even if the process does not write anything in the file, a file write event occurs.
2 - Currently available eBPF-based sensors (for RHEL/CentOS 8.0 and SUSE 12&15) do not support isolation or banning.
3 - TLS cert swapping support is for sensor versions Windows 6.2.3-win and macOS 6.2.5-osx and above.
4 - SHA-256 sensor support begins with 6.2.x sensors for both Windows and macOS. Check with Broadcom Carbon Black Support for any updates about other sensors that can generate this hash type.
SHA-256 hashes are reported in addition to MD5 hashes. They can be used to report information to the Event Forwarder (v3.4.0 or later) and are also displayed on relevant pages in the console. See https://github.com/carbonblack/cb-event-forwarder for information on installing and configuring the Event Forwarder. See Event Forwarder.
