Installing Carbon Black sensors

In my previous blog, I explained how to install and configure the VMware Carbon Black Cloud Workload Server Appliance. With that done, VMware Carbon Black is now tightly integrated with VMware vSphere to yield an “agentless” solution.

But it’s not really that “agentless”. 

Before the Carbon Black Cloud can manage and gather endpoint telemetry a sensor needs to be enabled on the endpoint. Yes, this sensor is not an actual agent, but it’s still a piece of software that will be installed through VMware Tools. In this blog, I’ll explain the various ways to enable the sensor.

Ensure the following before deploying the sensors:

  • vCenter version: 6.7U1 and higher
  • VMware Tools version: 11.2 or higher
  • Only 64-bit platforms are supported. List of supported platforms:
    Desktop Platforms: Windows 7-SP1, Windows 8, Windows 8.1, Windows 10
    Server Platforms: Windows Server 2008R2, 2012, 2012R2, 2016, 2019

 

VMware vCenter

As a system administrator, you can now monitor for vulnerabilities and inventory status in the vCenter Management Console. Here you can also deploy the sensors onto the virtual machines. 

To open the Carbon Black overview, click Menu > Carbon Black.

Here you will find a summary of your Appliance Health, Inventory status, and possible Vulnerabilities.

In this case, we want to enable a sensor, so click on the Inventory tab and select Not Enabled.

Select a virtual machine of choice and click on Enable. To start the sensor installation on that VM.

You will be prompted with a popup where you have the ability to configure some advanced settings. For now, we want to install the sensor with a default configuration, so click on Enable to continue.

The installation will take a couple of minutes. You can click on the Enabled tab and refresh your page until your selected VM is shown. 

You now have successfully enabled a sensor on a VM through vCenter. Next up, I’ll explain how to install the sensor via the Carbon Black Cloud Management page.

 

Carbon Black Cloud Management page

Another way to enable a sensor or multiple sensors is through the CBC Management page. Open the management page and go to Inventory > VM Workloads > Not Enabled. Here you will find an overview of not enabled virtual machines. 

Select a virtual machine, click the orange Take Action button, and select Install Sensor.

Just as in vCenter, a popup will be shown to specify some advanced settings. We still want to use the default configuration, so click Install to start the installation.

After a couple of minutes, click on the Enabled tab to view your newly installed sensor.

You now have successfully deployed the Carbon Black sensors in 2 ways. The last way to install the sensors is by using a .MSI file. 

 

MSI Installation

Probably not a big surprise, but yes you can also install the sensor by using a .MSI file you can download from the CBC Management page.

On the VM Workload page, you have a Sensor Options button in the top right of the screen. Click on it and select Download Sensor Kits.

A popup will appear where you can choose to download the installation file for the Operating System of choice. Since I only use Windows virtual machines, I download the Windows 64-bit Download kit.

After you have clicked the download button, a .MSI file will be downloaded onto your computer for further use. I won’t go over all the various ways you can install a .MSI file, but yes you can choose to install it by hand, command line, GPO, or any other deployment tool you use in your environment.

There are also various parameters available to install the sensor silently, check out the documentation for that. Below is the default command line to use just the basic settings.

msiexec.exe /i /qn <path\cbsetup.msi> /L*V <path\msiinstall.log>

Conclusion

By using the various methods you have many options to install the Carbon Black sensor. I personally would prefer the MSI option to automatically install it when creating a virtual machine, especially from a VDI perspective. 

Interested in how the Carbon Black sensor works in a (non-persistent) VDI environment? Keep an eye out for my next blog!