Is access to content.carbonblack.io required?
search cancel

Is access to content.carbonblack.io required?

book

Article ID: 286153

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Is access to content.carbonblack.io required?

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
    • Enterprise EDR
    • Audit and Remediation
    • Managed Detection/Managed Detection & Response
    • Prevention
    • Workload Protection
    • Device Protection
    • Host Based Firewall
    • XDR
  • Carbon Black Cloud Sensor (Linux): v2.12.x.x and Higher
  • Carbon Black Cloud Sensor (macOS): v3.5.3.x and Higher
  • Carbon Black Cloud Sensor (Windows): v3.6.0.x and Higher
  • Apple macOS: All Support Versions
  • Linux: All Support Versions
  • Microsoft Windows: All Support Versions

Resolution

Yes
  • In the Sensor versions called out above, Enterprise EDR, AMSI Prevention, Unified Binary Store, Device Protection, Host Based Firewall, and XDR must be able to access content.carbonblack.io in order to function correctly
  • More functions of the sensor (both new and pre-existing) are expected to rely on content.carbonblack.io in future sensor updates

Additional Information

  • Although TCP requires bi-directional/full duplex communications, only outbound traffic to content.carbonblack.io is required from the sensor’s perspective (the sensor initiates the TCP handshake), as the perimeter stateful firewall should perform NAT and route traffic accordingly
  • The Unified Binary Store (UBS) is a centralized service that is part of the Carbon Black Cloud
    • UBS is responsible for storing all binaries and corresponding metadata (e.g. Signed, Product, CA and Publisher) for those binaries
    • UBS is included with Enterprise EDR
  • Microsoft Anti-Malware Scan Interface (AMSI) prevention and visibility extends default prevention capabilities for script-based Windows attacks by dynamically leveraging AMSI metadata to define and configure prevention logic
  • AMSI prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks
  • AMSI prevention is packaged in with Endpoint Standard, but it is only supported on Windows 10 and greater and requires sensor version 3.6 and above
  • The content above and future functionality is made available via content manifests from content.carbonblack.io
  • content.carbonblack.io is only available via port 443
Powered by Wolken Software