Pre-installation Requirements and Instructions
This section addresses what you need to do before installing sensors, including endpoint machine requirements as well as steps you should perform.
Only machine administrators can install or uninstall sensors on endpoints across your organization.
Important
Cybereason recommends using the same version for both your Cybereason servers and your sensors. If you choose not to update your sensors, you may not be able to take advantage of new features introduced into the platform.
Perform the following prerequisite steps:
Update additional endpoint machine requirements (Windows and Linux)
Add sensor processes to third-party tool allowlists (all OSs)
Configure your firewall and network to allow sensor communication (all OSs)
Enable communication with the Cybereason Global Update servers (all OSs)
Request custom sensor installation packages (All OSs, optional)
Review supported operating systems for sensors (all OSs)
Cybereason sensors are supported on numerous different operating systems. For the full list of supported operating systems, see Supported OS Versions for the Sensor.
Understand the minimum system requirements (all OSs)
The minimum system requirements for endpoints depend on whether you enable Endpoint Prevention features or not:
Note
The resource requirements stated below may differ from the actual sensor resource usage in practice. For actual resource usage estimates, see Sensor Resource Usage.
Endpoint data collection only
Component |
Requirement |
---|---|
Machine RAM |
4 GB |
CPU |
Dual core 2 Ghz core i3 and above or equivalent |
Available disk space |
500 MB minimum |
Network connectivity |
Ethernet or Wi-Fi |
EDR and Endpoint Prevention
Component |
Requirement |
---|---|
Machine RAM |
4 GB |
CPU |
Dual core 2 Ghz core i3 and above or equivalent |
Available disk space |
2 GB minimum |
Network connectivity |
Ethernet or WiFi |
Update additional endpoint machine requirements (Windows and Linux)
Requirement |
OS |
---|---|
The endpoints must meet the Transport Layer Security (TLS) communication requirements. For more information, see Select your TLS communication preferences. |
Windows |
On Windows endpoints, for the Cybereason system tray icon and notifications to display, the endpoint must have .NET Framework 4.0 or higher enabled. |
Windows |
On Windows endpoints, If you plan to use the Exploit protection feature, and are running a version of Windows that does not include Exploit Guard (versions earlier than Windows 10 Fall Creators Update or RS3), you must install EMET 5.5. If EMET is not installed, we recommend upgrading your machine operating system to the latest Windows version, because Windows no longer officially supports EMET. If you are using Exploit Guard on Windows 10 Fall Creators Update (RS3) and later versions, EMET is not required. |
Windows |
Cybereason recommends not to enable Windows Core Isolation on the machines on which Cybereason NGAV features will be enabled, as this may cause conflicts or performance issues. |
Windows |
On Linux endpoints, you must install the GNU C library (glibc). |
Linux |
Verify that Windows Event Log is running (Windows)
Verify that the Windows Event Log service is running on the endpoint and do not disable this service. If you disable this service before or after the sensor installation, the sensor does not install or function properly.
Install the required certificates (all OSs)
For more information, see Required Certificates for Cybereason Sensor Installation.
Install additional KBs (Windows)
If you use a supported version of Microsoft Windows, you must also install the following patches on your machines:
OS |
Requires KB |
Notes |
---|---|---|
Windows Server 2008 R2 SP1 |
KB3033929 or KB4474419 |
Required to ensure support for SHA256 signatures. Note that other Microsoft patches may provide this functionality as well. |
Windows |
KB2999226 |
Required for enabling Application Control. |
Install required packages (Linux)
Note
The Cybereason Linux sensor packages are not supported for Linux 32-bit operating systems.
Before you install the Cybereason Linux sensor package on Linux operating systems, verify that the following languages and packages are installed on the endpoint:
Language/Package/Utility |
Required/Optional |
Matching Library |
Notes |
---|---|---|---|
Python 2.6+ or Python 3.x |
Required |
The Cybereason platform supports all Python 3 versions, up to the latest Python version. |
|
iptables or nftables |
Required |
iptables-1.4.21-35.el7.x86_64 |
Required for machine isolation to work. |
libcurl.so.4 |
Required |
libcurl-7.29.0-59.el7_9.1.x86_64 |
|
libnsl.so.1 |
Required |
glibc-2.17-317.el7.x86_64 |
If you experience installation issues on RHEL or CentOS 8.3 or 8.4, see Sensor Fails to Start on RHEL and CentOS 8.3 and 8.4. |
librt.so.1 |
Required |
glibc-2.17-317.el7.x86_64 |
|
libpthread.so.0 |
Required |
glibc-2.17-317.el7.x86_64 |
|
libm.so.6 |
Required |
glibc-2.17-317.el7.x86_64 |
|
libgcc_s.so.1 |
Required |
libgcc-4.8.5-44.el7.x86_64 |
|
libc.so.6 |
Required |
glibc-2.17-317.el7.x86_64 |
|
ld-linux-x86-64.so.2 |
Required |
glibc-2.17-317.el7.x86_64 |
|
libdl.so.2 |
Required |
glibc-2.17-317.el7.x86_64 |
|
libpopt.so.0 |
Required |
popt-1.13-16.el7.x86_64 |
|
libelf.so.1 |
Required |
elfutils-libelf-0.176-5.el7.x86_64 |
|
libattr.so.1 |
Required |
libattr-2.4.46-13.el7.x86_64 |
|
libz.so.1 |
Required |
zlib-1.2.7-18.el7.x86_64 |
|
libudev.so.1 |
Required |
systemd-libs-219-78.el7.x86_64 |
This library is part of the systemd package supported on CentOS 7 and later |
libcap.so.2 |
Required |
libcap-2.22-11.el7.x86_64 |
Enables retreiving and setting Linux capabilities |
librpm.so |
Required |
rpm-devel-4.11.3-48.el7_9.x86_64 |
Allows RPM metadata enrichment for the supported operating system |
librpmio.so |
Required |
rpm-devel-4.11.3-48.el7_9.x86_64 |
Allows RPM metadata enrichment for the supported operating system |
gdb |
Optional |
gdb-7.6.1-120.el7.x86_64 |
Allows maximum debugging capabilities. WARNING: The Cybereason sensor can function without the gdb package but will have reduced debugging capabilities. We recommend installing the ‘gdb’ package to enable these capabilities. |
policycoreutils-devel |
Required (CentOS/RHEL 7.6-7.9, Ubuntu 20.04/22.04) |
Required to use the eBPF framework. See the table below for steps to perform for the eBPF framework. |
If the installation fails, see Linux Sensor Installation Failures.
In addition, in versions 23.2.65 and later, to use the eBPF-related features on Linux machines running Centos/RHEL 7.6, 7.7, 7.8, or 7.9 or Ubuntu 20.04/22.04 (with kernel 5.15), you must do the following:
Step |
Details |
---|---|
Run supported kernel version |
You must have the proper kernel version for your operating system:
|
Debug symbols/kernel header availability |
Debug symbols or kernel headers must be available in their standard location. These kernel configurations must be enabled:
You can check these kernel configurations at /proc/config.gz or /boot/config-<kernel-version> |
Install kernel-devel |
Note The kernel-devel installation requires that perl is installed. If you do not have it installed, you can install it using the yum install perl command or it may be installed automatically. For CentOS version 7.X, you must download and install an RPM package package:
For RHEL version 7.X: In RHEL version 7.X, the machines are under a suitable subscription with RHEL repositories. Make sure the repo rhel-y-server-rpms is active (subscription-manager repos –enable=rhel-7-server-rpms) and run the following command: yum install kernel-devel-$(uname -r)
For Ubuntu 20.04/22.04: On Ubuntu, kernel header files are found under the /usr/src directory. You can check wif the matching kernel headers for your kernel version are already installed on your machine with this command: ls -l /usr/src/linux-headers-$(uname -r)
If the kernel header directory does not exist, install the Linux Kernel headers package: sudo apt install linux-headers-$(uname -r)
|
Add sensor processes to third-party tool allowlists (all OSs)
When you install the Cybereason sensor, some third-party antivirus tools may mistakenly prevent the execution of some Cybereason installation processes. Cybereason recommends that you add the Cybereason installer file as an antivirus exclusion on the third-party tool. In addition, configure the third-party tool to allow the relevant processes in the following tables.
Windows processes (add all processes in the Process name column)
For information about how to resolve conflicts between Cybereason sensors and third-party tools, see Troubleshooting Conflicts between Third-Party Applications and Cybereason.
Open ports for sensor communication (Windows)
On Windows machines, the following ports are used by Windows sensors on the localhost for internal endpoint communication. These ports cannot be used by third-party products while the sensor is installed:
10556
10557
10560
30972
39378
40270
Ports in the range: 49152-65535
Configure your firewall and network to allow sensor communication (all OSs)
Proxy communication |
If sensors will connect to Cybereason servers via proxy servers, you must also complete these tasks:
See Configure Proxy Connection Details for more details. |
Firewall and proxy settings for Signatures mode rule updates |
Enable communication with the Cybereason Global Update servers (all OSs)
If you use the Anti-Malware > Signatures mode, allow communication on port 443 to the Update server URL https://cr-protect.cybereason.net/ and ensure that this URL is allowed. If you are also using a NGAV Global update server, perform the same step for the URL for your NGAV Global Update server.
For larger deployments, you can optionally install an NGAV Local Update Server, which can reduce network usage during the sensors’ first-time signatures update and subsequent signature updates.
Request custom sensor installation packages (All OSs, optional)
For some sensor features, you can ask Technical Support to prepare a custom sensor version with the configuration included in the sensor package. Such features include:
Signatures database file included with the sensor installer
Proxy configuration, including the proxy server address and port to use for sensor communication through a port
Proxy connection information for the Registration server
Enable proxy communication for the Anti-Malware signature database
Sensor uninstallation passwords
Sensor policy ID to assign to the sensor after installation
To use these custom sensor options, open a Technical Support case.
Related resources
Please see our Legal Disclaimer on links to third party web sites.