• EDR Sensors: All Versions

Resource Utilization:
​The Carbon Black EDR sensor is designed to have no performance impact. Endpoint activity levels might impact actual values. Typical ranges for the impact of the Carbon Black EDR sensor are as follows:
 ●    CPU –  < 5% CPU usage, depending on system activity
 ●    Memory – 12-50 MB RAM
 ●    Disk Storage – The sensor regularly sends data to the server, requiring minimal storage on the endpoint (500 KB to 3 MB). If the sensor cannot communicate with the server, data queues up to an adjustable threshold (2 GB by default, expected 30-60 days activity on a normal system). The data is synced when server communications are reestablished.

Network Bandwidth:
It is difficult to predict the actual network traffic that Carbon Black EDR requires. Network bandwidth depends on many factors, including sensor activity and the number of unique binary files that are uploaded to the server. Apply the following estimates:

• Per endpoint:
  • 1-4 kilobits per second (kbps) per host.
  • 10-40 megabytes (MB) per host per day
• The following table shows server-side expected average network traffic based on sensor activity estimates (not including network usage for uploading unique binaries to the server):
• Throttling can be configured per site via sensor groups, per hour, per day.
  • Throttling limits bandwidth from a group of sensors. Throttling is often used on low-bandwidth sites or sites that are bandwidth-constrained at certain times of day.
    • The trade-off when throttling is invoked is a delay in data sent back to the central server for analysis against watchlists, and the availability of the data in the console.
    • Console users can override the network throttle by enabling sync to any individual host. This override instructs the host to ignore any configured throttles and immediately send all data.
  • Throttles shape the volume of traffic to the server from sensors at particular times. They do not reduce overall traffic. To reduce traffic, you can limited the collection of certain type of events per-process on a per-sensor-group basis. For more about sensor groups, see the VMware Carbon Black EDR User Guide.
• Maximum sensor check-in rate can be configured through SensorCheckingDelayRatein cb.conf.
  • The default value is 100, which corresponds to a maximum 100 check-ins/second/server node. Reducing this value reduces check-in network traffic, but also reduces how often sensors send statistics and retrieve configuration changes.