Skip to main content
Red Canary help

Installing and uninstalling the Carbon Black EDR (formerly CB Response) sensor on Linux

  • Updated .

Prerequisites

Prior to deploying the sensor, please ensure you have accounted for the following:

Configure the necessary AV exclusions

Configure your antivirus (AV) to ignore the following directories. More details can be found here.

Sensor 6.2.0 and lower

/var/lib/cb/*
/etc/init.d/cbdaemon
/etc/rc*/*cbdaemon
/usr/sbin/cbdaemon
/etc/sysconfig/modules/cbresponse.modules

Sensor 6.2.1 and higher

/etc/init.d/cbdaemon
/etc/sysconfig/modules/cbresponse.modules
/usr/sbin/cbdaemon
/opt/carbonblack/response/*
/var/opt/carbonblack/response/*

Configure the necessary network connectivity

The Carbon Black sensor communicates with the server using bidirectional authentication via port 443. All communications are outbound, sensor-to-server.

You can find your Carbon Black EDR server's sensor check-in address by clicking Endpoints > Deploy sensors > Linux > Cb Response.

Please be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Determine which sensor version to install

Use the v6.1.x sensor if your environment consists of Oracle RHCK.

Installing Carbon Black EDR using a Golden Image

Use this installation method if you want to automate silent installations on many devices, including installations via a gold/master image.

To manually install the Carbon Black EDR sensor for Linux:

  1. Log into Red Canary.
  2. Download the sensor installer from Endpoints > Deploy sensors > RedHat/CentOS Linux > Cb Response.
  3. Copy the <install package name>.tar.gz file to the Linux endpoint.
  4. Untar the sensor install package to a temporary folder. 
    tar -zxvf <install file name>.tar.gz
  5. Install the sensor.

For golden images, once you install the sensor you will need to run the following commands:

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plistSet
sudo rm -rf /var/lib/cb/store/MD5_*
sudo rm -rf /var/lib/cb/event.log*
echo 0 > /var/lib/cb/sensor.id

Once you have completed, save and deploy your image.

Installing Carbon Black EDR manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the Carbon Black EDR sensor for Linux:

  1. Log into Red Canary.
  2. Download the sensor installer from Endpoints > Deploy sensors > RedHat/CentOS  Linux>Cb Response.
  3. Copy the <install package name>.tar.gz file to the Linux endpoint.
  4. Untar the sensor install package to a temporary folder. 
    tar -zxvf <install file name>.tar.gz
  5. From the extracted .tar.gz file, run the .sh file and then follow the installation prompts. This installs the Linux sensor using the configuration provided in the sensorsettings.ini file. 
    # ./<script-name-here>
  6. After this process is complete, the Linux sensor is installed and running. The Sensors page shows the sensor as registered and checking into the EDR server.

Uninstalling Carbon Black EDR

To uninstall manually using the command line:

Prior to 6.2 sensor version, run the following command:

/opt/cbsensor/sensoruninstall.sh


If you are running Linux sensor 6.2 or higher, run the following command instead

/opt/carbonblack/response/bin/sensoruninstall.sh

Comments

0 comments

Please sign in to leave a comment.