Endpoint Detection and Response (EDR)

Protect your endpoints and unify IT security in one solution.

How Do I Sign Up?


Follow these steps to start recording endpoint activity data:

Step 1

Sign up for a free Armor demo.

Step 2

Log into Armor EDR.

Step 3

Purchase your licenses in the Armor Management Portal (AMP).

Step 4

Product Overview


Incident Detection and Incident Response for Hybrid Deployments

Armor's Endpoint Detection and Response (EDR) is an advanced security detection and incident response solution delivering continuous visibility to Security Operations and Incident Response teams across an organization's end user IT estate. EDR can be installed on laptops, desktops, and servers, giving Customers a 360-degree detailed overview of endpoint activity.

EDR provides next-generation endpoint protection, identifying suspicious activities and events, and performing validation on detected threats, along with identifying anomalies and suspicious behavior patterns. The EDR product also provides next-gen anti-virus technologies to prevent malicious executables from firing in your environment.

 

edr.mp4

 

Features


Continuous Visibility

You can't stop what you can't see.

Investigations that typically take days or weeks can be completed in just minutes. EDR collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into their environments.

Scale the Hunt

Never hunt the same threat twice.

EDR combines custom and cloud-delivered threat intel, automated watchlists and integrations with the rest of your security stack to efficiently scale your hunt across even the largest of enterprises.

Respond Immediately

The days of constantly reimaging are over.

An attacker can compromise your environment in an hour or less. EDR gives you the power to respond and remediate in real time from anywhere in the world. EDR makes it easy to quickly contain threats and repair the damage to keep your business going.

Pricing


Pricing for EDR is per license purchased with an initial minimum of 25 licenses.

EDR Technical Information


WINDOWS

Currently, Armor is only operating on CB Cloud v3.5.1 for following Windows operating systems:

  • Microsoft Windows Server 2012

  • Microsoft Windows Server 2012 R2

  • Microsoft Windows Server 2016

  • Microsoft Windows Server 2019

  • Microsoft Windows 10

We are not supporting Windows 11 at this time. 

 

LINUX

Currently, Armor is only operating on CB Cloud v2.8.0 for following Linux operating systems:

OS

Version

CentOS

  • 7.X

  • 8.X

RHEL

  • 6.X

  • 7.X

  • 8.X

Ubuntu

  • 16.X

  • 18.X

  • 20.X

Amazon

  • 2

Oracle

  • 6.X

  • 7.X

Suses

  • 12

  • 15

Debian

  • 9

  • 10 (untested)

 

MacOS

Currently, Armor is only operating on CB Cloud v3.5.1 for following Mac operating systems:

  • macOS High Sierra

  • macOS Mojave

  • macOS Catalina

  • macOS Big Sur 

    • installation on Big Sur requires special instructions, see documentation

  • macOS 10.15 (Catalina) devices installed with macOS sensors 3.3.3+ may require a reboot.

  • macOS 10.13+ devices installed with macOS sensors 3.1+ require new Apple KEXT approval. Unapproved sensors will enter bypass mode.

We are not supporting MacOS 12 Monterrey at this time.

HARDWARE

NETWORK

HARDWARE

NETWORK

  • CPU: 2GHz multi-core

  • RAM: 2GB

  • Disk Space: 500MB

    • +600MB if local scanning is enabled or using ThreatHunter.

  • Network Card: 100/1000 mbps

  • Additionally for Linux systems need 100 MB free space on the /opt partition and 4.1 GB free on the /var partition

  • TLS: 1.2 or later

  • Minimum Network used during light usage is 1k bytes/sec read/writes each

  • Primary port 443 and fail over port 54443

  • Firewall or proxy should be configured with a bypass rule to allow outgoing connections over TCP/443 as well as Cb Defense's alternate port TCP/54443.

Configure firewalls or proxies to allow outgoing and incoming connection to the following Destinations without packet inspection. Per link - https://www.dell.com/support/article/en-us/sln319296/vmware-carbon-black-cloud-endpoint-sensor-system-requirements?lang=en

FUNCTION

PRIMARY PORT

BACKUP PORT

DESTINATION

FUNCTION

PRIMARY PORT

BACKUP PORT

DESTINATION

Administration

443

54443

defense-prod05.conferdeploy.net/

Client

443

54443

dev-prod05.conferdeploy.net/

Integration Services (API)

443

54443

api-prod05.conferdeploy.net/

Signature Updates

443

N/A

updates2.cdc.carbonblack.io

Online Certificate Status Protocol

80

N/A

ocsp.godaddy.com

Certificate Revocation List

80

N/A

crl.godaddy.com

Configure TCP/443 and TCP/54443 for the below destinations as well.

Signature URLs:

Third-party certificate validation URLs (sensor version 3.3+: optional but recommended and on by default):

EDR Feature

WINDOWS

LINUX

MAC

LINUX

LINUX

LINUX

LINUX

Agent Installation

Windows 10 20H1 v19041.208

RHEL/CentOS 7.0 - 7.8

macOS 10.15.1 - 10.15.6 (Catalina)

RHEL/CentOS 6.6 - 6.10

Ubuntu 16 & 18

SUSE SLES 12 & 15

Amazon Linux 2

Generate Alerts and Events

Yes

Yes

Yes

Yes

Yes

Yes

No

Policies

Yes

Yes

Yes

Yes

Yes

Yes

Yes

CB Event Forwarder Configuration

Yes

Yes

Yes

Yes

Yes

Yes

Yes

CB Event Forwarder Installation

No

64-bit CentOS 6.x Linux machine

No

Yes

No

No

No

Quarantine/Unquarantine

Yes

No

Yes

No

No

No

No

Enable/Disable Bypass

Yes

No

Yes

No

No

No

Yes

Background Scan

Yes

No

Yes

No

No

No

No

On Demand Scan

Yes

No

No

No

No

No

No

Blocking and Isolation of applications

 

 

 

 

  • Known malware

Yes

Yes

Yes

Yes

Yes

Yes

Yes

  • Application on the company banned list

Yes

Yes

Yes

Yes

Yes

Yes

Yes

  • Unknown application or process

Yes

No

Yes

No

No

No

No

  • Adware or PUP

Yes

No

Yes

No

No

No

No

  • Suspected malware

Yes

No

Yes

No

No

No

No

  • Not listed application

Yes

No

Yes

No

No

No

No

USB Device Blocking

Yes

No

No

No

No

No

No

Sensor Settings

 

 

 

 

  • Allow user to disable protection

Yes

No

Yes

No

No

No

No

  • Enable private logging level

Yes

No

Yes

No

No

No

No

  • Run background scan - Standard

Yes

No

Yes

No

No

No

No

  • Run background scan - Expedited

Yes

No

No

No

No

No

No

  • Scan files on network drives

Yes

No

Yes

No

No

No

No

  • Scan execute on network drives

Yes

No

Yes

No

No

No

No

  • Delay execute for cloud scan

Yes

No

No

No

No

No

No

  • Hash MD5

Yes

No

Yes

No

No

No

No

  • Use Windows Security Center

Yes

No

No

No

No

No

No

  • Sensor UI: Detail message

Yes

No

Yes

No

No

No

No

  • Submit unknown binaries for analysis

Yes

No

No

No

No

No

No

  • Auto-delete known malware hashes after

Yes

No

Yes

No

No

No

No

  • Require code to uninstall sensor

Yes

No

Yes

No

No

No

No

  • Enable Live Response

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Useful Links


Getting Started

Install and Uninstall

Troubleshooting Guide

FAQs

Armor Toolbox