I have a question about what the CB EDR sensor collects and stores locally. What is the purpose of the following paths?
VMware Carbon Black EDR
The sensor is designed to collect binaries that have executed since the sensor has been installed. These are generally files that have a binary header:
- Windows Portable Executable (PE) - (EXEs, DLLs, SYS)
- OSX binaries (Mach-O)
- Linux Executable and Linkable (ELF)
The sensor does not collect scripts, batch files, or any computer files that are created or modified. What does get collected is the metadata that is associated with the files such as file names and paths that they were created or modified in. The local binary store temporarily keeps copies of these binaries. Upon the sensor checking into the EDR server, a copy of the collected binaries will be send to be stored long term. Additionally, a file containing the metadata for each executed binary is passed along to the server. This metadata includes:
- Size in bytes
- Internal version information (file version, product version, etc.)
- Digital signature information (signature status, digital signer, revocation status,
Binaries that are larger than 25MB, only the first 25MB of the binary is captured. All binaries that are collected by the sensor are compressed before being transmitted to the EDR server.
The path of C:/Windows/CarbonBlack/store contains copies of binaries that have not yet been shared with the EDR server as well as a catalog of all observed binaries.
- Any observed binary will be copied and stored in this location.
- Binaries will persist in the directory until the sensor checks in to the server.
- If the server does not have a copy of the binary, it is uploaded from the endpoint.
- If the server already has a copy of the binary, nothing is uploaded.
- Binary copies are then purged from the directory after check-in.
The path of C:\Windows\CarbonBlack\store\catalog is used by the sensor to store a list of hashes that have been seen on the endpoint.
Please sign in to leave a comment.