On May 27, 2020, a signature update will be released which will result in a one-time download of 40-50MB per endpoint. This article describes how to prepare for this update for organizations where there are network bandwidth concerns.

• Carbon Black Cloud (CB Cloud) Console: All Versions
  • Endpoint Standard (formerly CB Defense)
• Carbon Black Cloud Sensor: 2.0.1.x and Higher
• Microsoft Windows: All Supported Versions
• Automatic Signature Updates are Enabled in Policy settings
• Local Mirror Server not used in Policy settings
• Weak or unstable internet connections for endpoints

Apply one of the following two Solutions:

A.) Configure a Local Mirror Server no later than 26-May-2020
https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-Getting-Started-with-Local-Mirror-Servers/ta-p/33594 B.) Disable Automatic Updates and deploy Standalone Signature Pack to prepare for incremental updates
WARNING: Do not deploy the updated Standalone Signature Pack installer without disabling Automatic Signature Updates (prior to 28-May-2020) as this will result in full download upon switching to new signature format on 27-May-2020 defeating the purpose of the solution.

1. Disable Automatic Signature Updates at the latest 11:59pm UTC 26-May-2020
2. Download standalone Signature Pack installer (20200504 in drop-down, CbDefenseSig-20200504.exe once downloaded; available on 19-May-2020)
3. Deploy standalone installer via preferred method (manual, app management tool, etc.)
4. Re-enable Automatic Signature Updates no earlier than 12:00am UTC 28-May-2020

• This Signature Update mentioned in this article reduces memory utilization and improves overall performance of the Local Scanner component of the CB Cloud Windows Sensor
• By default, Automatic Signature Updates are downloaded over the internet by each Sensor, utilizing a Local Mirror Server shifts the external (internet) download to this server, and all Sensors in the designated Policy then download those updates across the local network (intranet)
• May also consider increasing the Frequency for Signature Updates to a larger value
• If the Last Check-In date/time on the Endpoints page for a given device is more than 10-15 minutes old, there are likely communications issues with that device, which should be investigated on their own and not considered an issue with the standalone installer
• Running `repcli status` before and after running the standalone installer is one of the simplest ways to double-check that it ran successfully by comparing the ave and vdf versions
• The next time the Sensor is set to check into the Console can also be found via `repcli status`, after which you can refresh the Endpoints page to verify it has updated successfully

  Example
  C:\> "C:\Program Files\Confer\RepCLI.exe" status | findstr "Version Next"
  Sensor Version[3.4.0.1097...]
  Local Scanner Version[4.11.0.307 - ave.8.3.60.14:avpack.8.5.0.48:vdf.8.18.0.154:apc.2.10.0.110]
  Next Check-In[1 min 26 sec]

• Once the standalone installer has been applied and the Console has received the updated information, the Sensor will show out-of-date (red-triangle) in the Sig column since the version reported is not present on the update server (http[s]://updates2.cdc.carbonblack.io/updates2), and will remain showing this way until Automatic Signature Updates are reenabled and the Sensors pull down updated signatures from the server
  
• Apc and Api values change but ave.8.3.60.14:avpack.8.5.0.48:vdf.8.18.0.154: are static when the signature updates are disabled in the policy. These values verify that the signature pack has been installed
• The vdf files in data_1 and Data_2 from the signature pack install will be dated Monday, ‎May ‎04, ‎2020.