CB Defense: Are Background Scans Mandatory for High Availability Servers?
search cancel

CB Defense: Are Background Scans Mandatory for High Availability Servers?

book

Article ID: 285567

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Are background scans mandatory for high availability servers?

Environment

  • CB Defense Sensor: 2.0.x.x and Higher
  • High availability servers, such as file servers, domain controllers, exchange servers
  • Policy: Background Scan enabled (Expedited or Standard)

Resolution

  • No, Cb Defense does not depend or rely on background scans in order to protect servers and workstations.
  • High availability servers are protected by CB Defense, regardless of whether background scan finishes or even if it ever executes.
  • Background scan is designed to improve performance on pre-existing files that will be executing on the system, but protection is not dependent upon this functionality.  Rather, Cb Defense leverages advanced behavioral analytics,and event stream prevention in order to keep machines protected.

Additional Information

  • Although Standard Background Scans should not affect performance as it scans 20 files/minute at most, Expedited Background Scans will increase the use of endpoint resources and may affect machine performance
    • Expedited scan runs 100 files per minute and ignores device CPU
      • Limits on CPU usage are ignored in favor of speed
    • Standard scan runs 20 files per minute maximum, and backs off when CPU indicates the device is busy
      • Total System CPU must be below 50% and the CB Defense process must be using less that 15% of CPU for Background Scan to run
      • CPU Usage is reevaluated every second
  • It is at the system administrator's discretion to evaluate and test these settings, balancing security versus availability in order to determine the optimal configuration
  • A Standard Background Scan would take about 34 days to scan 1,000,000 files where an Expedited Scan will depend entirely up to the machine's resources but is intended to run at 5x the speed, roughly 7 days depending on system resources
  • The purpose of Background Scan is to detect and block first time execution for pre-existing malware files. While this helps, this is not a key tenet in CB Defense because pre-existing files already had the opportunity to run before sensor installation and any damage has already been done. Therefore, to avoid the impact of the 'Delay execute for Cloud Scan' Policy Setting, Sensors use pre-existing reputations as a condition to skip stalling those processes.
Powered by Wolken Software