Antivirus/Malware Help

Thank you everyone so much for your help.   The consultant making the statement about Symantec only getting 20% of vunlerabilities and the push to deploy Carbon Black to our systems is what raised the red flag for me in addition to what some of you confirmed, I've never heard of this product either.  In 4 years at my current company with Symantec I can say that all of the monitoring on our servers and users systems NONE of the errors have come from Symantec and 1 virus which was user initiated.  I've had simular experience with Symantec since 2007. They want to address the wrong issue and remove a working product instead of addressing training and two point authentication and the fact that the "consultants" are pushing this instead of that is another red flag for me and I don't like this at all.

I will respond later after the meeting and close ticket.  Thank you again for your help.

forgot to mention, like Andrew and David, this is also my first time heard of the brand name of Carbon Black.

Thank you everyone so much - it was a misunderstanding, they want to implement it along side Symantec.  I've deployed it to several systems and we doing a 30 day trial with it along side symantec.  The consultant did mention again that Symantec only gets 14-20% of all vulnerabilities but where the confusion happened was management took that to mean it only works 20% of the time.  They meant out of all the vulnerabilities out there so best to have 2 layers of protection.  They are giving a full presentation on this this week so if they only mention this as a solution and not the other things mentioned here, I will speak up about that as well.

Fyi, I have one of the most highest amounts of RAM and CPU in my system and Carbon Black so far has slowed my system down drastically, I'm typing this from my mac :P  

Thank you all so much for your help, all of you confirmed what I knew and suspected.  I will figure out how to award points for all.

Karen

You're welcome Karen and good for you for challenging the status quo.

Fyi, I have one of the most highest amounts of RAM and CPU in my system and Carbon Black so far has slowed my system down drastically, I'm typing this from my mac

I'd be *very* interested to hear what their explanation is for that so please do update this thread if you can! :)

Thanks and I was happy to help you with this

Fyi, I have one of the most highest amounts of RAM and CPU in my system and Carbon Black so far has slowed my system down drastically, I'm typing this from my mac :P  

Check to see what policies exist in it. In our deployment of Cisco's solution, we disabled the AV protection, which still allowed us to keep the behavioral analysis and antimalware protection to work along side McAfee. Also, you probably need to create a number of exclusions in Carbon Black.

Carbon black go into remote forensic which can do a full memory dump of the processes which Symantec may not necessary have the full recording captures. Most still tends to go for carbon black for endpoint detect and response (EDR) such as remote forensic analysis purpose primarily. That is so far how much I see differs from between ATP and CB. Symantec will not rest on its laurel and will be building enhancement to compete in the EDR space.

Worthy to note is that both may not be foolproof as well as if you intent to do have indicator of compromise (IOC) threat hunting using hash of file, CB can only cover running executable file type or recently executed file - non executable will not be covered. Same for Symantec Advance Threat Protection which is EDR (not solely SEP).  You will likely still need to run script on machine.

As a whole, coverage for EDR should target minimally all critical servers and machine used by privileged user. These are key entry point for priority otherwise the idea is to have EDR in all endpoint. Search thru CB will be offloaded into the CB server that constantly poll the CB agent in each endpoint rather than trigger search command in the client as this can demand additional resource (existing ~10-16% footprint) in the client machine resource.

Whatever was slowing it down has ceased so I suppose it was just initially after I installed it.  I have access to the trial portal now from the company and am monitoring it this week.  It is showing me a lot of things that symantec doesn't, mostly on servers that do not surprise me, my machine is clean :)

Thanks for the update Karen. I'd appreciate it if you could update this thread and let us know how it goes moving forward. It's a relatively unknown name in Security (for me anyway) and I'll be interested to hear your opinions about it.

Regards, Andrew

What I see that EDR presence is to fend off sophisticated malware such as those that are memory based and fileless malware type. There are criteria for their installation but that would be seen as optimal balance as it should not be hindering the normal operation

Most EDR solutions use a complex agent that is tightly integrated into the endpoint’s operating system, meaning it can have serious performance impacts and cause instability if not well designed and tested. The vendor should be able to show you performance data of their product tested on similar operating systems, hardware, and running similar applications.

How much CPU does the agent use? (Should be < 1%, rarely ever spiking above that)

How large is the agent’s footprint? (Lightweight sensors are ~3Mb, heavy agents ~50Mb)

Does the sensor operate at the kernel level or in userspace?

Kernel level sensors provide greater visibility but require substantially more testing by the vendor to ensure they do not impact the endpoint operating system; user-space sensors are more prone to tampering and lack the visibility into kernel-level attack payloads..

ypu can check perfmon and questions the support if there are consistent slow down as it shouldbt on your critical server.

https://www.carbonblack.com/2016/01/25/13-essential-questions-to-guide-your-endpoint-detection-and-response-edr-evaluation/