In many enterprise environments, virtualization administrators rely on snapshots as a primary method for quick recovery. For VMware Carbon Black EDR, snapshots are an effective way to back up both Master (Primary) and Minion nodes. This article outlines the supportability, best practices, and the critical distinction between machine-state snapshots and full data integrity as outlined in the official documentation.

CB EDR version: 7.8.1 +

While Carbon Black EDR provides built-in scripts for database backups, there has been a need to clarify the supportability of VM-level snapshots. Customers frequently ask if snapshots can replace traditional backups and whether they can exclude high-volume data directories (like Solr event cores) to save storage space.

The primary concern is maintaining a consistent state across the cluster. If a snapshot is restored improperly, the EDR cluster synchronization may break, and vital security event data may become corrupted or unsearchable.

VMware Carbon Black EDR supports snapshots for both Primary and Minion nodes. However, according to official guidelines, the effectiveness of a snapshot depends on the inclusion of the full data directory and the state of the services during the snapshot.

Full Data Snapshots (Recommended): To prioritize data integrity, cold snapshots should be performed without exclusions. As per the official backup procedures, a complete backup includes the entire /var/cb/ directory.