Unzip the cbdefense_mirror_win_x64_v3.0_SamplesScripts.zip, the following Sample files will be available
do_update.bat
do_update_ssl.bat
Create a directory for AV Signature Updates to be served to endpoints, and copy the files above into this path
Example:
C:\inetpub\wwwroot\CBD_SignatureUpdates
Open do_update.bat and set 'outdir' to the path above (If it is desired to use SSL, use do_update_ssl.bat)
Example:
SET outdir=C:\inetpub\wwwroot\CBD_SignatureUpdates
NOTE: If SSL is being used add "--no-dns-resolve" to the command lines in the do_update_ssl.bat or update_defs_ssl.sh script. See https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Mirror-server-will-not-connect-over-HTTPS/ta-p/112493 for more details
Configure the Signature Mirror by running the following commands in an elevated command prompt
NOTE: Once do_update.bat has been run, the following folders will appear
32
64
ave2
idx
x_vdf
Launch Task Scheduler
Right-click Task Scheduler Library and select 'Create Task'
Create Task > General tab
Provide a Name and Description as desired
Select 'Run whether user is logged on or not' and 'Run with highest privileges'
Create Task > Triggers tab
Add New trigger to run 'Daily' at desired start time
'Repeat task every: 1 hour' 'for a duration of: Indefinitely'
Check 'Enabled'
Click OK
Create Task > Actions tab
Add New Action > Start a program
Set the Program/script to 'do_update.bat' from step 5 above (either via Browse or paste path manually)
Create Task > Conditions tab
Check
'Start the task only if the computer is on AC power'
'Stop if the computer switches to battery power'
'Wake the computer to run this task'
Create Task > Settings tab
Check
'Allow task to be run on demand'
'Run task as soon as possible after a scheduled start is missed'
'If the task fails, restart every' > 1 minute, 'Attempt to restart up to' > 3 times
'If the running task does not end when requested, force it to stop'
Create IIS Website
Open the IIS Manager
Right-click on sites and select Add Website
On the Site name, type a label to identify that this website is for the AV Signature Update (Keep the DefaultAppPool for the Application Pool field)
Example:
CBD_SignatureUpdates
On the Physical Path, type or browse to the directory from step 4 where the AV Signature Update would go
Example:
C:\inetpub\wwwroot\CBD_SignatureUpdates
Keep Type = http, IP address = All Unassigned, and Port = 80
On Host name field, type the FQDN of the machine being used as the mirror server.
Keep the check on "Start Website immediately"
Click OK
Under Sites on the navigation pane, select the site name from above (9.C)
Double-click Directory Browsing and click Enable
Configure new MIME type in IIS
Double click 'MIME Types'
Add a new MIME type for extension of '.idx' with type of 'text/plain'
Reset IIS via admin command prompt by running this command
iisreset
Test URL from step 9 by opening a browser and typing http://{host name from step 9.C} (should see the folders from step 6)
Update Policy
Log into CBC Console
Go to Enforce > Policies
Click on the desired Policy's name
Click on the Local Scan tab
Ensure 'Allow Signature Updates' is set to Enabled
Add the URL for the Local Mirror Server to the 'Update Servers' settings for Internal and Offsite devices as desired
Check the box to the right of the desired URL to set it as the Preferred Server
Remove any URLs which are not desired
Additional Information
Recommended schedule for pulling down updates is hourly
Recommended 2Ghz CPU and 4GB of RAM for Local Mirror server, in order to service 10k endpoints
We support the usage of a mirror server's configuration in a policy but do not the support setup or maintenance of the server itself. Please use sample scripts and high-level instructions to assist with the process but be sure to follow the best practices for securing IIS.
If a sensor is configured to go through Sensor Gateway to the cloud, and it was configured in the policy to download av Signature from mirror server, the sensor will be reaching out to the mirror server via the SGW appliance, hence make sure that the communication between the SGW and the mirror server is not blocked.