How does the Carbon Black Cloud (Endpoint Standard) Sensor "Background Scan" and "Local Scan" work? What are the differences between the two? Also, where does CB store the logs for the AV Scans?
Carbon Black Cloud Endpoint Standard
The Carbon Black Sensor does not do traditional AV scans the way we would normally think about it. In fact, the only full scan that the Sensor does is a low resource "Background Scan" when the Sensor is installed/initialized on the endpoint. The Background Scan is a one-time scan that is performed on the local endpoint.
This scan can take up to 5 days to complete on a typical endpoint, and can even take up to a month or more on larger servers (like a database server, for example). The Background Scan is run in order to inventory all known file hashes on the endpoint. The Sensor then builds a working database of all known hashes on the endpoint. If the Background Scan encounters a known or suspected malicious hash, an Alert will be generated in the CBC console. These Alerts can be found in the CBC console on the left navigation menu under "Alerts."
The Background Scan can be configured in the CBC console. The settings are found on the left navigation menu in Enforce > Policies > Sensor tab.
- The Standard background Scan runs in a low-priority mode to consume low system resources and pauses when the system resources are needed by other processes. The standard background scan processes 20 files per minute at maximum. The time to complete depends on the available system resources and the number of files on the system being scanned.
- The Expedited Background Scan runs in a high-priority mode and consumes extra resources to complete. The expedited background scan is optimized for speed and processes 100 files per minute. The time to complete depends on the available system resources and the number of files on the system being scanned.
NOTE: You can have the Background Scan run again by using the repcli commands on the local endpoint, or via the Carbon Black Console. There are NOT any local scan logs that are created or stored on the endpoint for the Background Scan. However, Windows does keep a record of the current Background scan status. To see these logs, go to Windows Event Viewer > Windows Logs > Applications. The logs will look similar to this:
If you have Local Scanning enabled, it will scan the hash of each new file before it allows the file to execute. Then the Sensor will build a local Reputation database that lives on that endpoint. The Local Scan will then pull from that local Reputation database to see if it already has a reputation on file for that hash.
If it does have a reputation for that hash, then it will Allow or Deny execution of that file based on that reputation that it has in that local Reputation database. Finally, it will check your Policy rules and Ban or Allow that file based on those Policy rules.
If Local Scan is disabled, then it will run all hashes through the cloud to check the reputation before that file is allowed to execute. Finally, it will either Ban or Allow that file based on your Policy rules.
NOTE: There are NO Local Scan logs that are generated and stored on the local endpoint. However, if you grab the confer.log on the local endpoint, it will show a history of all of the files that it has encountered and whether they were Allowed or Denied. This file can be found in
C:\Program.Files\Confer. You can also check the Investigate page on the Carbon Black console. This Investigate page will show a record for the endpoint of all of the hashes that the Sensor has encountered.
NOTE: The Local Scan does not apply to both Linux and Mac endpoint. Neither Linux nor Mac have the Local Scanner. They rely on the cloud for all of their Reputation scoring.
Bottom line, there is NOT a traditional "always on" background AV scan that shows a history of all of the scanning being done, because that's not how the Sensor works.
The Sensor decides on each file hash whether or not that file is allowed to execute based on Reputation and Policy rules.