Skip to content

MonthJan 2020

VMware Carbon Black Cloud for Endpoint Security

This is an article about how I used VMware Carbon Black Cloud ONLY as a showcase to secure desktops running on VMC on AWS.

The VMware Carbon Black Cloud is a cloud-native endpoint protection platform (EPP), CB provides what you need to secure your endpoints, using a single lightweight agent and an easy to use console.

VMware Carbon Black provides:

  • Superior Protection
  • Actionable Visibility
  • Simplified Operations
VMware Carbon Black Cloud 
Built-in. Unified. App & Threat Context. 
One 
Lightweight 
Agent 
Endpoint 
Workload 
vmware 
Carbon Black. 
Cloud
VMworld 2019 Annoucement

First let’s take a look on the Console. It is a web-based Console hosted in a AWS Datacenter. You can login via SSO or E-Mail and Password. Dashboard give you a good overview about what is going on, any events or issues.

View data 
2 weeks 
All policies 
o 
VMWARE-DE.COM 
DASHBOARD 
ALERTS 
INVESTIGATE 
ENFORCE 
ENDPOINTS 
SETTINGS 
Getting Started 
Complete the fundamental tasks to set up your organization 
Carbon Black Cloud setup 
Prevent with policies 
Additional resources 
Attacks Stopped 
> Add console administrators 
Send sensor installation requests 
él View deployed sensors 
Endpc 
10+ added 
10+ sent 
10+ active 
* Curren 
Potentially Suspicious Activity 
Non-Malware 
Potential malware 
Malware 
PUPS 
2 
Attack Stages 
RECON 
Non-Malware 
Potential malware 
Malware 
Pl.-JPs 
WEAPONIZE 
DELIVER/EXPL 
INST/RIJN 
2 
CMD+CTRL 
EXECUTE GOAL 
Email 
Web

Let’s start to get CB rolling and define some policy groups. In a policy group you can define all kind of settings, what should happen if something get’s detected, or just simple things like, when should the system get scanned. To create a new Policy let’s get to enforce and then policy.

Carbon Black. 
VMWARE-DE.COM 
DASHBOARD 
ALERTS 
INVESTIGATE 
LIVE QUERY 
ENFORCE 
Policies 
Reputation 
Malware Removal 
Cloud Analysis 
Notifications 
POLICY 
Use policies to define and prioritize rules for how applications can behave on groups of devices 
Help > 
X DELETE POLICY 
Thomas Sauerer (vmware-de.com) > 
+ NEW POLICY 
NAME 
Monitored 
Standard 
Advanced 
LiveOps Test 
X DUPLICATE POLICY 
Save 
DEVICES 
6 
8 
General 
General 
Prevention 
Local Scan 
Sensor 
LOCKED POLICY 
* Policy name 
Monitored 
Policy description 
Monitor only, NO prevention.

Add a new Policy, name it, add a description and copy setting from the standard Policy Group.

Perfect, now we can do some modifications. We can change as a example what should happen, if a known malware process is running. As default it will terminate the process. It is even possible to terminate the process when it’s trying to communicate over the network.

leral 
Prevention 
Local Scan 
Sensor 
these rules to configure how sensors control process behavior 
Permissions 
Blocking and Isolation 
PROCESS 
Known malware 
SHOW @ 
Allow specific operations or bypass application activity entirely. Takes precedence over blocking and isolation settings below. 
Deny or terminate processes and applications. 
OPERATION ATTEMPT 
Runs or is running 
Communicates over the network@ 
Scrapes memory of another process 
Executes code from memory@ 
Invokes an untrusted process 
Invokes a command interpreter@ 
Performs ransomware-like behavior@ 
Executes a fileless script@ 
Injects code or modifies memory of another process 
Deny operation 
ACTION 
Terminate process 
Confirm 
Cancel

You also can change the local scans, On-Access File scan, frequency and more. Keep it in mind if you have to exclude any on-access scans on specific files/folders.

On the last, “Sensor” you can edit the sensor settings of the client. I will deploy CB to our demo and test environment, in this case I allow user to disable protection. Usually you will not allow the User to disable the security! Guess what, if user can disable it most of them will do..

Next what we need to do is to create a Endpoint Group. In Endpointgroups you can define different policys or criteria to seperate different Workloads and assign them automatically to a policy. To do this, you have to go to “Endpoint” section on the left side and add a new group.

Carbon Black. 
VMWARE-DE.COM 
SENSOR GROUPS 
t All Sensors 
DEMO EMEA (HL Buschi) 
VMC Lab (Thomas) 
Mayonez (Aleks) 
o 
VMC Lab (Thomas) 
os: Any I 
Policy: VMC Horizon Policy 
Sensors: 2 
Criteria: Subnet starts with "172.30.120" 
more 
x 
Take Action 
Notifications 
All Sig Pack Status 
Help 
Thomas Sauerer (vmware-de.com) > 
Clear search 
Status 
U CSV Export 
Policy 
-k Add Group 
Search 
TAKE ACTION 
o 
DASHBOARD 
ALERTS 
INVESTIGATE 
LIVE QUERY 
ENFORCE 
ENDPOINTS 
SETTINGS 
> 
> 
STATUS 
O 
O 
DEVICE NAME 
SET\EMEA-FC-018 
WIN-4KT1 DKDC2AO 
USER 
tsauerer@vmware.c 
om 
tsauerer@vmware.c 
om 
os 
Windows 10 
x 64 
Windows 
Server 201 6 
x 64 
SENSOR 
3.4.0.1086 
3.4.0.1086 
SIG 
POLICY 
VMC Horizon P 
olicy 
VMC Horizon P 
olicy 
T 
J 
LAST CHECK-IN 
3:37:23 pm 
Nov 22, 2019 
3:34:55 pm 
Nov 22, 2019

It makes sense to seperate different Workloads as Horizon, WebServer etc. You can set different criteria like IP Range or Operating System to automatically add the Server to different Endpoint Groups.

Last step, we need to install the Carbon Black Sensor. Basically it should make sense to add the Sensor directly to the basic Images and also define a Default/general Endpoint Group where all clients are added with a basic ruleset. When you change, as a example, the IP address from the Server it will automatically update the Endpointgroup and add the Server to the new Policy Ruleset. In my case i will just install the Sensor manually.

To download the Sensor we need to go to Endpoints -> All Sensors on the top right you will find Sensor Options -> Download Sensor kits.

Carbon Black. 
v 
VMWARE-DE.COM 
DASHBOARD 
ALERTS 
INVESTIGATE 
LIVE QUERY 
ENFORCE 
ENDPOINTS 
SETTINGS 
ENDPOINTS 
Install sensors on endpoint devices and use groups to assign and manage policies 
Status 
USER 
WIN-E023BNPMM00 
\Administrator 
os 
Server 2008 R2 
x64 SP: 1 
Windows 
Server 2016 
x64 
Signature 
SENSOR 
3.4.0.1052 
3.4.0.1070 
Notifications 
Policy 
GROUP/POLICY 
Manually Assigned 
Monitored 
Advanced 
Help > 
Thomas Sauerer (vmware-de.com) > 
SENSOR GROUPS 
t All Sensors 
VMC Lab (Thomas) 
All Sensors 
Sensors: 16 
Search 
STATUS 
Sensor Options v 
Sensor settings 
Company codes 
Download sensor kits 
Send installation request 
DEVICE NAME 
WIN-E023BNPM 
MOO 
LAB\HLWinSerO 
3 
SIG 
T 
> 
o 
o 
LAST CHECK-IN 
1 am 
Dec 6, 2019 
am 
Dec 6, 2019 
+ Add Group 
Export 
ACTIONS 
>_ 
>_

Run the installer on the target system, agree the terms and enter the License Key. We are done, the Sensor is installed! Take a look back to the Console “Endpoints”, you can see now the VM automatically added to the correct group and policy.