Pre-installation Requirements and Instructions

This section addresses what you need to do before installing sensors, including endpoint machine requirements as well as steps you should perform.

Only machine administrators can install or uninstall sensors on endpoints across your organization.

Important

Cybereason recommends using the same version for both your Cybereason servers and your sensors. If you choose not to update your sensors, you may not be able to take advantage of new features introduced into the platform.

Perform the following prerequisite steps:

Review supported operating systems for sensors (all OSs)
Understand the minimum system requirements (all OSs)
- Endpoint data collection only
- EDR and Endpoint Prevention
Update additional endpoint machine requirements (Windows and Linux)
Verify that Windows Event Log is running (Windows)
Install the required certificates (all OSs)
Install additional KBs (Windows)
Install required packages (Linux)
Add sensor processes to third-party tool allowlists (all OSs)
Open ports for sensor communication (Windows)
Configure your firewall and network to allow sensor communication (all OSs)
Enable communication with the Cybereason Global Update servers (all OSs)
Request custom sensor installation packages (All OSs, optional)

Review supported operating systems for sensors (all OSs)

Cybereason sensors are supported on numerous different operating systems. For the full list of supported operating systems, see Supported OS Versions for the Sensor.

Understand the minimum system requirements (all OSs)

The minimum system requirements for endpoints depend on whether you enable Endpoint Prevention features or not:

Endpoint data collection only
EDR and Endpoint Prevention

Note

The resource requirements stated below may differ from the actual sensor resource usage in practice. For actual resource usage estimates, see Sensor Resource Usage.

Endpoint data collection only

Component	Requirement
Machine RAM	4 GB
CPU	Dual core 2 Ghz core i3 and above or equivalent
Available disk space	500 MB minimum
Network connectivity	Ethernet or Wi-Fi

EDR and Endpoint Prevention

Component	Requirement
Machine RAM	4 GB
CPU	Dual core 2 Ghz core i3 and above or equivalent
Available disk space	2 GB minimum
Network connectivity	Ethernet or WiFi

Update additional endpoint machine requirements (Windows and Linux)

Requirement	OS
The endpoints must meet the Transport Layer Security (TLS) communication requirements. For more information, see Select your TLS communication preferences.	Windows
On Windows endpoints, for the Cybereason system tray icon and notifications to display, the endpoint must have .NET Framework 4.0 or higher enabled.	Windows
On Windows endpoints, If you plan to use the Exploit protection feature, and are running a version of Windows that does not include Exploit Guard (versions earlier than Windows 10 Fall Creators Update or RS3), you must install EMET 5.5. If EMET is not installed, we recommend upgrading your machine operating system to the latest Windows version, because Windows no longer officially supports EMET. If you are using Exploit Guard on Windows 10 Fall Creators Update (RS3) and later versions, EMET is not required.	Windows
Cybereason recommends not to enable Windows Core Isolation on the machines on which Cybereason NGAV features will be enabled, as this may cause conflicts or performance issues.	Windows
On Linux endpoints, you must install the GNU C library (glibc).	Linux

Verify that Windows Event Log is running (Windows)

Verify that the Windows Event Log service is running on the endpoint and do not disable this service. If you disable this service before or after the sensor installation, the sensor does not install or function properly.

Install the required certificates (all OSs)

For more information, see Required Certificates for Cybereason Sensor Installation.

Install additional KBs (Windows)

If you use a supported version of Microsoft Windows, you must also install the following patches on your machines:

OS	Requires KB	Notes
Windows Server 2008 R2 SP1	KB3033929 or KB4474419	Required to ensure support for SHA256 signatures. Note that other Microsoft patches may provide this functionality as well.
Windows	KB2999226	Required for enabling Application Control.

Install required packages (Linux)

Note

The Cybereason Linux sensor packages are not supported for Linux 32-bit operating systems.

Before you install the Cybereason Linux sensor package on Linux operating systems, verify that the following languages and packages are installed on the endpoint:

Language/Package/Utility	Required/Optional	Matching Library	Notes
Python 2.6+ or Python 3.x	Required		The Cybereason platform supports all Python 3 versions, up to the latest Python version.
iptables or nftables	Required	iptables-1.4.21-35.el7.x86_64
libcurl.so.4	Required	libcurl-7.29.0-59.el7_9.1.x86_64
libnsl.so.1	Required	glibc-2.17-317.el7.x86_64	If you experience installation issues on RHEL or CentOS 8.3 or 8.4, see Sensor Fails to Start on RHEL and CentOS 8.3 and 8.4.
librt.so.1	Required	glibc-2.17-317.el7.x86_64
libpthread.so.0	Required	glibc-2.17-317.el7.x86_64
libm.so.6	Required	glibc-2.17-317.el7.x86_64
libgcc_s.so.1	Required	libgcc-4.8.5-44.el7.x86_64
libc.so.6	Required	glibc-2.17-317.el7.x86_64
ld-linux-x86-64.so.2	Required	glibc-2.17-317.el7.x86_64
libdl.so.2	Required	glibc-2.17-317.el7.x86_64
libpopt.so.0	Required	popt-1.13-16.el7.x86_64
libelf.so.1	Required	elfutils-libelf-0.176-5.el7.x86_64
libattr.so.1	Required	libattr-2.4.46-13.el7.x86_64
libz.so.1	Required	zlib-1.2.7-18.el7.x86_64
libudev.so.1	Required	systemd-libs-219-78.el7.x86_64	This library is part of the systemd package supported on CentOS 7 and later
libcap.so.2	Required	libcap-2.22-11.el7.x86_64	Enables retreiving and setting Linux capabilities
librpm.so	Required	rpm-devel-4.11.3-48.el7_9.x86_64	Allows RPM metadata enrichment for the supported operating system
librpmio.so	Required	rpm-devel-4.11.3-48.el7_9.x86_64	Allows RPM metadata enrichment for the supported operating system
gdb	Optional	gdb-7.6.1-120.el7.x86_64	Allows maximum debugging capabilities.
policycoreutils-devel	Required (CentOS/RHEL 7.6-7.9, Ubuntu 20.04/22.04)		Required to use the eBPF framework. See the table below for steps to perform for the eBPF framework.

If the installation fails, see Linux Sensor Installation Failures.

In addition, in versions 23.2.65 and later, to use the eBPF-related features on Linux machines running Centos/RHEL 7.6, 7.7, 7.8, or 7.9 or Ubuntu 20.04/22.04 (with kernel 5.15), you must do the following:

Step

Details

Run supported kernel version

You must have the proper kernel version for your operating system:

For RHEL/CentOS 7.6: 3.10.0-957.el7.x86_64
For RHEL/CentOS 7.7: 3.10.0-1062.el7.x86_64
For RHEL/CentOS 7.8: 3.10.0-1127.el7.x86_64
For RHEL/CentOS 7.9: 3.10.0-1160.62.1.el7.x86_64
For Ubuntu 20.04/22.04: 5.15

Debug symbols/kernel header availability

Debug symbols or kernel headers must be available in their standard location. These kernel configurations must be enabled:

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_NET_CLS_BPF=m
CONFIG_BPF_JIT=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_HAVE_EBPF_JIT=y

You can check these kernel configurations at /proc/config.gz or /boot/config-<kernel-version>

Install kernel-devel

Note

The kernel-devel installation requires that perl is installed. If you do not have it installed, you can install it using the yum install perl command or it may be installed automatically.

For CentOS version 7.X, you must download and install an RPM package package:

Use one of these commands to download the specific package you need:

# for latest Centos7 version (kernel version 3.10.0-1160) use:
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/kernel-devel-`uname -r`.rpm

# for latest Centos7 version (kernel version 3.10.0-1160) with patch version, use:
wget http://mirror.centos.org/centos/7/updates/x86_64/Packages/kernel-devel-`uname -r`.rpm

# for lower kernels (<3.10.0-1160) use:
wget https://vault.centos.org/`cat /etc/centos-release | awk {print $4}`/os/x86_64/Packages/kernel-devel-`uname -r`.rpm

# for lower kernels (<3.10.0-1160) with patch version, use:
wget https://vault.centos.org/`cat /etc/centos-release | awk {print $4}`/updates/x86_64/Packages/kernel-devel-`uname -r`.rpm

Install the package using this command:

#install the downloaded package:
yum install kernel-devel-$(uname -r).rpm

For RHEL version 7.X:

In RHEL version 7.X, the machines are under a suitable subscription with RHEL repositories. Make sure the repo rhel-y-server-rpms is active (subscription-manager repos –enable=rhel-7-server-rpms) and run the following command:

yum install kernel-devel-$(uname -r)

For Ubuntu 20.04/22.04:

On Ubuntu, kernel header files are found under the /usr/src directory. You can check wif the matching kernel headers for your kernel version are already installed on your machine with this command:

ls -l /usr/src/linux-headers-$(uname -r)

If the kernel header directory does not exist, install the Linux Kernel headers package:

sudo apt install linux-headers-$(uname -r)

Add sensor processes to third-party tool allowlists (all OSs)

When you install the Cybereason sensor, some third-party antivirus tools may mistakenly prevent the execution of some Cybereason installation processes. Cybereason recommends that you add the Cybereason installer file as an antivirus exclusion on the third-party tool. In addition, configure the third-party tool to allow the relevant processes in the following tables.

Windows processes (add all processes in the Process name column)
Mac processes
Linux processes

For information about how to resolve conflicts between Cybereason sensors and third-party tools, see Troubleshooting Conflicts between Third-Party Applications and Cybereason.

Open ports for sensor communication (Windows)

On Windows machines, the following ports are used by Windows sensors on the localhost for internal endpoint communication. These ports cannot be used by third-party products while the sensor is installed:

10556
10557
10560
30972
39378
40270
Ports in the range: 49152-65535

Configure your firewall and network to allow sensor communication (all OSs)

Proxy communication

If sensors will connect to Cybereason servers via proxy servers, you must also complete these tasks:

Add the sensor connection on the proxy servers to the allowlist.
If your organization uses a PAC server, provide Customer Success with its URL for the PAC server.
If your organization uses an HTTP proxy list, provide Customer Success with the hostname and port for each proxy.

See Configure Proxy Connection Details for more details.

Firewall and proxy settings for Signatures mode rule updates

See Firewall and Proxy Guidelines for Signatures Updates

Enable communication with the Cybereason Global Update servers (all OSs)

If you use the Anti-Malware > Signatures mode, allow communication on port 443 to the Update server URL https://cr-protect.cybereason.net/ and ensure that this URL is allowed. If you are also using a NGAV Global update server, perform the same step for the URL for your NGAV Global Update server.

For larger deployments, you can optionally install an NGAV Local Update Server, which can reduce network usage during the sensors’ first-time signatures update and subsequent signature updates.

Request custom sensor installation packages (All OSs, optional)

For some sensor features, you can ask Technical Support to prepare a custom sensor version with the configuration included in the sensor package. Such features include:

Signatures database file included with the sensor installer
Proxy configuration, including the proxy server address and port to use for sensor communication through a port
Proxy connection information for the Registration server
Enable proxy communication for the Anti-Malware signature database
Sensor uninstallation passwords
Sensor policy ID to assign to the sensor after installation

To use these custom sensor options, open a Technical Support case.

Related resources

Troubleshooting conflicts between 3rd party applications and Cybereason

Please see our Legal Disclaimer on links to third party web sites.