Endpoint Standard: How to configure Automatic Updates for Local Scan
search cancel

Endpoint Standard: How to configure Automatic Updates for Local Scan

book

Article ID: 285593

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Provide steps to enable and disable automatic updates and setting the frequency and randomization of updates for the Signature Files for the Local Scanner

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (formerly CB Defense)
  • Carbon Black Cloud Sensor: 2.0.1.x and Higher
  • Microsoft Windows: All Supported Versions

Resolution

  1. Log into CB Cloud Console
  2. Go to Enforce > Policies
  3. Click on desired Policy name
  4. Click on Local Scan tab
  5. Under Scanner Config section set On Access File Scan Mode to Enabled or Aggressive 
  6. Under Signature Updates section set Allow Signature Updates (Enabled/Disabled) to turn automatic updates on or off
  7. Set Frequency (2, 4, 8, 12, 24 hours) to desired amount of time between checks for and downloads of new files
  8. Set Staggered Update Randomization Window (1, 2, 3, 4, 5, 6, 7, 8 hours) to desired time to avoid all Sensors attempting to download at same time per Policy
  9. Click Save button to save changes

Additional Information

  • Best Practice is to set Frequency and Staggered Update Randomization Window to 2 hours and 1 hour, respectively, in order to stay as updated as possible
  • The steps above only impact one Policy at a time and should be repeated for all desired Policies
  • Disabling Signature Updates (Allow Signature Updates > Disabled) will stop Sensors in the designated Policy from pulling down updated signature files, and they will begin to show as out-of-date (red triangle) in the Sig column on the Endpoints page one week after disabling unless or until these updates are re-enabled
  • The Frequency and Staggered Update Randomization Window (sometimes called Jitter Window) settings should be considered together, as setting Frequency to 4 hours and Randomization to 4 hours would mean Sensors not getting updated Signature Files should not be of concern until at least 8 hours have elapsed from the previous update check/install
  • If network bandwidth consumption is a concern, consider setting up a Local Mirror Server
  • An initial, offline Signature Pack is available for download from Endpoints > Sensor Settings > Download sensor kits > AV Signature Pack, this is intended for initial deployment to get the first set of signatures installed with a Sensor and should not be considered a means to keep signatures updated as these packs are updated infrequently
  • Automatic Updates should be the primary means of keeping signature files updated