Skip to main content
Red Canary help

Installing and uninstalling the Carbon Black EDR (formerly CB Response) sensor on Windows

  • Updated .

Prerequisites

Prior to deploying the sensor, please ensure you have accounted for the following:

Configure the necessary AV exclusions

Configure your antivirus (AV) to ignore the following directories. More details into that can be found here.

%WINDIR%\CarbonBlack\*
%WINDIR%\CarbonBlack\cb.exe

Configure the necessary network connectivity

The Carbon Black sensor communicates with the server using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your Carbon Black EDR server's sensor check-in address by clicking Endpoints > Deploy sensors > Windows > Cb Response.

Please be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Determine which sensor version you will install

Use the v6.1.x sensor if your environment consists of legacy Windows (XP, Vista, Windows 7, Server 2003/2008) operating systems. This will ensure proper sensor-to-server communication since legacy Windows only supports TLS 1.0 and the newer v6.2.x no longer supports TLS 1.0.

Installing Carbon Black EDR using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via a deployment tool such as Windows System Center Configuration Manager (SCCM).

To automatically install the Carbon Black EDR sensor for Windows:

  1. Log into Red Canary.
  2. Download the sensor installer from https://<subdomain>.my.redcanary.co/sensor?sensor_type=msi. 
  3. Extract the downloaded archive file. The GPO_README.txt file contains instructions for creating a group policy object (GPO) software deployment policy to deploy the sensor.
  4. Run or configure your deployment tool to use the following command:
    msiexec.exe /i cbsetup.msi /qn

Note: To meet the code-signing requirement for software deployment policies, the installer utilizes both an "outer" and "inner" installer, where the outer installer is digitally signed. As a result, two items will be present in Add/Remove Programs.

Required reboots: Software deployment policy requires that the system restart if certain types of actions take place. While the Carbon Black sensor does not require a system restart at the time of installation, the software deployment policy will require a reboot before installation completes. 

Installing Carbon Black EDR manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the Carbon Black EDR sensor for Windows:

  1. Log into Red Canary.
  2. Download the sensor installer from Endpoints > Deploy sensors > Windows > Cb Response > Download the default Windows sensor.
  3. Run or configure your deployment tool to use the following command:
    CarbonBlackClientSetup.exe

To silently install the sensor, add the /S flag.

After installation, the sensor will run silently and will be invisible to the user. To validate that the sensor is running on the host, run this command at a command prompt:

sc query carbonblack
sc query carbonblackk

Uninstalling Carbon Black EDR

To uninstall from the Control Panel:

  1. Open the Windows Control Panel.
  2. Click Uninstall a Program.
  3. Choose Carbon Black Sensor and uninstall it.

To uninstall manually installed/exe sensors using the command line:

  1. Run the following command:
    %windir%/CarbonBlack/uninst.exe /S 

To uninstall group policy installed/msi sensors using the command line:

  1. Run the following command:
    msiexec /x path:\sensor.msi
    Or
    msiexec /x {guid}

Related articles

Comments

0 comments

Please sign in to leave a comment.