Skip to content Skip to site navigation

CB Protection Frequently Asked Questions

How do I log in to the CB Protection Admin Console?

Note: Access to the installation binaries and to the CB Protection admin console is limited only to Privileged Access Workstations (PAW).

  1. Once you are connected to the PAW VPN ("Ring 0 Manual Authentication" or "su-secops-vpn"), access the CB Protection portal through a web browser.
    • Google Chrome is the browser of choice.
  2. Point your browser to:
  3. Use your CB Protection credentials to log in to the admin console.
  4. After you log in, change your account password by hovering your mouse over your username, clicking on User Settings, and filling in the appropriate fields.
What firewall ports do I need?

Once the CB Protection agent is installed, communication to the protection server is established  by ensuring that your department and host-based firewalls allow outbound traffic to the following IPs and ports: 

  • Users assigned to Ring 1 should allow outbound traffic to 171.67.32.130
  • Users assigned to Ring 0 should allow outbound traffic to 171.67.32.50
  • Parity Server port: 41002 (TCP)
  • Agent upgrades port: 443 (TCP) should allow outbound traffic to 171.67.215.200

Note: The instance (Ring 1 and/or Ring 0) that is associated with your department will be communicated during the initial process of establishing accounts and manageable policies.

For more information or help, please submit a Help ticket.

How does CB Protection know which files to trust?

When the CB Protection agent evaluates a new file, it analyzes the file according to several characteristics.

  • File hash: md5, sha1, sha256
  • Filename: Full file names, Regex strings
  • File signature: The agent verifies file signature certificates from systems it monitors with an online database of trusted file signatures. All files with the same signature can be banned or approved at the same time.
How does CB Protection classify files?

CB Protection mainly classifies files in three ways:

Approved: Files are trusted and are allowed to run when CB Protection is in Medium and High enforcement modes.

Unapproved: Files are not trusted, but not explicitly banned. CB Protection blocks unapproved files from running in Medium or High enforcement mode.

Banned: Files are explicitly untrusted and cannot run in Low, Medium, or High enforcement modes.

What is CB Protection Initialization, and how does it affect my systems?

Initialization is the process by which the CB Protection agent inventories the current state of a system and locally approves all existing files that reside on the current system. 

The Initialization process runs in the background and varies in duration with the speed and capacity of your storage volume. Initialization times may vary from 20 minutes for a laptop to several hours for servers.

The initialization process occurs during the initial installation of the CB Protection agent, and also when the agent moves from one policy to another.

Track the Initialization progress for each computer in the Assets view, under the property % initialized.

To stop Initialization, move the computer into Disabled mode. The agent will save its progress and restart from that point when Initialization resumes.

How do I identify Cb Protection file activity?

Cb Protection will help identify the type of file activity represented in the admin console's events log, but it is up to systems administrators to understand the significance of file activity, and change server and application management workflows to incorporate the approval of required software.

  1. While viewing events, add a filter for Subtype and filter by new unapproved file to the computer.
  2. Add a filter for File State, set the filter to Unapproved, and group events by Process Name.
  3. Identify the process with the most events.
  4. Add a filter for Process Name and set the filter to the name of the process that you identified.
  5. Group by File Path and identify the file path with the most related events.
    • If there is no single path with a large number of events, try to identify a path with related names.
  6. Add a filter for File Path.
    • If you see a large number of file paths that do not seem to be related to each other, and they group together by user, project, or software, you are probably looking at backup activity. 
  7. Group by User.
    • If you observe that all of the activity is associated with a local system or a service account for backing up that system, it is probably backup activity. If the activity is associated with user accounts, the activity is probably user software installs. 
  8. Group by File Name and identify the type of files being written to the system. The file extension is a good indicator of the type of the file.
    • If you see a large number of .dll and .exe files being written to one or more directories, you are probably seeing software installation activity.
    • If you see file names that look randomly generated or sequentially incrementing names, this is a good indicator that the content is dynamically generated.
    • If you group by file prevalence and see all zeroes and ones, this is a good indicator of dynamically generated content. Sources of dynamically generated files can be software deployment tools, compilers, .Net framework, patching, or something else.
  9. After you have identified the file activity, write a custom rule to approve or ban the activity.
    • Backup files will not need to be approved, as they never need to run, so you may safely ignore backup activity.
    • There are several methods for approving software installation activity. See Approval Mechanisms for more information about how software is approved in different workflows.
    • Dynamically generated content can be controlled by using custom rules. See How do I write a custom rule for Cb Protection file activity? for more information about writing custom rules.
How do I write a custom rule for Cb Protection file activity?

Custom rules should be reserved for cases when you cannot approve a file by hash with a normal file rule, as with dynamically generated content. It’s preferable to use file rules and signature rules, because custom rules incur a larger performance penalty.

  1. Identify the nature of the file activity.
  2. Select Software Rules in the Rules menu, select the Custom tab, and select Add Custom Rule.
  3. Use this format to name the rule: SU-<group name>-<application name>-<short desc.>.
    For example:
    • SU-ISO-.NET-Software-Installation
    • SU-ISO-.NET-Backup-Activity
    • SU-ISO-.NET-Dynamic-File-Creation
    • SU-ISO-BigFix-Software-Deployment
  4. Change the rule type to Advanced, set the operation to Write, and set the action to Approve.
  5. Fill in the appropriate fields in the rule based on the type of file activity you identified.
    Note: it is generally better to make your rules as specific as possible. Specify the path, process, and person executing the activity in your rules.
    • Identify the full path of the process that wrote the files, and add that to the appropriate field.
      For example: C:\program files\BigFix\besclient.exe
    • Identify the related portion of the full path of the files being written and common file names of the files being written, and add that to the rule.
    • Please note that ? and * are wildcards. ? represents any single character and represents zero or more wildcard characters.
    • Identify the user account associated with the process writing the files and add the identified user account(s) to the rule.
    • A rule should only have service accounts and local system accounts specified.
  6. Select the policies that you want the rule to affect.
What installer should I download from the CB Protection console for new deployments?
It is recommended to install the high enforcement policy as the default installation method.
What is a Timed Override and how does it apply to newly provisioned systems with CB Protection?
A Timed Override allows the software to be installed while a system is under the High Enforcement Level protection mode. The maximum time allowed for a single Timed Override instance is 500 minutes.
How do you generate a Timed Override?
To generate a code to place a computer in a temporary local approval mode:
  • 1. On the console menu, choose Assets > Computers. The Computers page appears:
  • 2. In the table, locate the computer for which you want to generate a code and click on its name. The Computer Details page for that system appears.
  • 3. Click the Policy Override tab in the panel at the bottom of the page.
  • 4. In the Temporary Policy Override Code panel, unless you want to transition to a different Enforcement Level, leave the default choice for Temporary Enforcement, which is Local Approval.
  • 5. In the Enforcement Level Active For box, enter the number of minutes (up to 500) you want the Enforcement Level change to last.
  • 6. In the Key Valid For box, enter the length of time you want the override code to be valid. Your choice for this field should take into account how long it will take to get the key to the computer user who needs it and how quickly they will be able to enter it.
  • 7. When you have entered all parameters, click the Generate Code button. A code with nine sets of letters separated by dashes appears in the box next to the button.
  • 8. Copy and save the code from the box (and note the computer name) so that you can deliver it to the person who will be installing new software on the offline computer. The code is not saved on the Computer Details page, so you must record it.
What are the steps to use the Timed Override?
To use a Timed Policy Override code on a Windows computer:
  • 1. On the computer you want to apply the override to, open a command window and launch the "TimedOverride.exe" application: "c:\Program Files (x86)\Bit9\Parity Agent\TimedOverride.edu"
  • 2. Enter the override code and click "OK".

To use a Timed Policy Override code on a mac computer:

  • Open a terminal.
  • Run the following command to change to the correct location: cd /Applications/Bit9/Tools Run the following command to run the timed override, using the code generated in the console: ./b9cli -timedoverride <CLI>
 
Last modified June 25, 2020