Install Sensors for Windows
When you install sensors for Windows, you have two different options for how to deploy the sensors:
Installation option |
Details |
|---|---|
Install Full Stack and Replace 3rd Party Antivirus |
You can use the Cybereason sensor as a full endpoint protection tool that replaces your existing antivirus tool. Used in this way, Cybereason provides a full stack of endpoint protection and EDR functionality. With this type of installation, you must remove the third-party antivirus from the machine. |
Install Alongside 3rd Party Antivirus |
If you do not wish to replace your existing antivirus tool, you can install the Cybereason sensor alongside it on your endpoints. Used in this way, Cybereason complements your existing tool with additional endpoint protection and EDR features. With this type of installation, you can enable all Cybereason features, except for the Anti-Malware > Signatures mode feature, which must remain disabled. |
In this topic:
Step 1: Create and configure sensor policies and groups
To ensure you are protecting your endpoint machines immediately after sensor installation, you should create sensor security policies and the necessary sensor groups before you install any sensors.
Create and configure sensor security policies
Cybereason recommends configuring sensor policy settings before installing sensors. Configure these settings from the System > Policy management screen. For details on how to create a sensor policy, Sensor Policies.
Depending on whether you are using an existing antivirus program or replacing your existing antivirus program with your Cybereason sensor, you set the Anti-Malware > Signatures mode differently:
Keep existing antivirus program |
In the Anti-Malware screen of your sensor policy, do not enable the Signatures mode, so as not to interfere with your third-party antivirus. For additional protection, you can set the Anti-Malware feature to On and enable the Artificial Intelligence and Behavioral document protection features. |
Replace existing antivirus |
In the Anti-Malware screen, enable Signatures mode. You can set the other Anti-Malware settings as needed to suite your needs. |
Once you install sensors, the sensors receive the settings in your assigned policies.
Note
Some sensor security settings can also be configured using sensor personalization or installation parameters, with the assistance of Technical Support.
Create and configure sensor groups
If you choose to use sensor groups, create sensor groups before installation and assign sensors automatically upon installation in one of the following ways:
Download the group-specific installation package. The group-specific installation packages assign the sensor to a specific sensor group after installation.
Add logic to the group to automatically assign certain sensors to a specific group on installation. See Create group assignment logic for details on how to create assignment logic.
Note
Sensors installed with a group-specific installation package ignore sensor grouping logic.
Step 2: Download the sensor installation file
Download the sensor installer file from the System > Overview screen:
In the Overview screen, select Download Cybereason Installers. The installation options pane appears.
If needed, select a sensor group. The group-specific installation packages assign the sensor to a specific sensor group when installed.
Select the appropriate Windows package.
Installer file with signatures included (32 bit and 64 bit) (recommended) - Supported on Windows only
Installer file without signatures (32 bit and 64 bit)
If you choose the first option to use an installer file with signatures included, you avoid sensors having to download the signatures database (~300 MB) upon first time update, conserving network resources. This option to include the signatures also protects machines from malware as soon as the sensor is installed, since the sensor does not have to wait to download the signature database to the endpoint machine. Open a Technical Support case to enable this option.
If you are using the Cybereason sensor on a machine with another antivirus program, you do not need to enable the option to have an installer file with the signatures included.
Note
Sensor admin L1 users can download a group-specific installation package for groups specified in their user settings from the System > Sensors screen.
The installer files use the following naming pattern:
ActiveProbe_22_1_7_0_<Org_Name>_<Server_URL>_443_ACTIVE_NORMAL.exe(Windows)/.pkg(Mac)/.rpm(Linux)
The file name contains all necessary information to configure the Cybereason sensor:
Sensor version
Organization name
Cybereason Detection Server server IP/DNS address
Server port (default is 443)
Default collection state (ACTIVE_NORMAL is the default)
Sensors that run on Windows machines include EDR and NGAV components. By default, NGAV features are disabled, no drivers are installed on the kernel, and the sensor runs in user space only. If you enable features that require drivers (Anti-Malware > Signatures, Anti-Malware > Artificial Intelligence, and Application Control) drivers that support these features are installed on the kernel automatically.
Step 3: Uninstall existing antivirus if needed
If you are using the Cybereason sensor to replace an existing antivirus program, the Cybereason platform’s Anti-Malware > Signatures mode cannot function properly alongside another antivirus. Before enabling Signatures mode, uninstall any existing antivirus tools on the endpoints and reboot the endpoint machine to completely remove these tools from the endpoint machine’s memory.
Note
Cybereason works together with the Windows Security Center. In some cases, Windows Defender is disabled automatically when the Anti-Malware > Signatures mode is enabled. In other cases, Windows Defender is not disabled automatically - for example, on Windows Server 2016, Windows 7 (in some cases), or if Windows Defender was enabled via Group Policy. Also, components of Windows Defender such as antispyware may remain enabled even if its antivirus component is disabled.
Therefore, Cybereason highly recommends to disable Windows Defender manually before enabling the Signatures mode.
Other Endpoint Protection features can run alongside any existing antivirus, including Windows Defender. Therefore, if Anti-Malware > Signatures mode is disable, Windows Defender is not disable automatically.
Step 4: Install the sensor using the command line
You install the sensor for Windows across your organization by running the installer file in the command line, using a software distribution tool.
Note
For installation on single machines, you can open the installer file on the endpoint and install the sensor using the installation wizard. This may be useful for testing purposes, but is not practical for large scale deployment.
Use the following syntax to install the sensor and specify sensor settings using the Windows command line:
<installer file name> /install /quiet /norestart -l <LogFilePath> /v "InstallFolder="C:\MyInstallDirectory"" <installation parameter>=<installation parameter value>
Note
You must have administrative privileges to run the installation command.
This command includes the following parameters:
Command |
Description |
|---|---|
<installer file name> |
The name of the installer file used to install the sensor. |
/install |
Installs the file. |
/quiet |
Indicates to not show any prompts during the installation process. |
/norestart |
Instructs the sensor to not restart while the command is running. |
-l |
Creates a log file. |
<LogFilePath> |
The path to the log file. |
/v “InstallFolder=”<different install folder>”” |
An optional command that installs the sensor in a different folder than the default folder. Note If the folder path includes spaces, you must escape the spaces with quotes to prevent the command from failing. For example: /v “InstallFolder=”C:Program” Files”. |
For example, if you added all the parameters above, you would have the following command:
<installer file name> /install /quiet /norestart /v "InstallFolder="<installation folder>"" -l <log file path>
You can optionally set installation parameters to customize sensor features. Installation parameters override sensor personalization settings in a custom sensor package you receive from Technical Support and settings adopted from the assigned security policy. See Supported sensor installation parameters for a list of installation parameters.
Important
When installing the sensor via SCCM, command line, or other third-party deployment tools, and when using GPO, do not set the ALLUSERS=1 (per machine installation context), as this can cause issues with sensor upgrades. This flag should remain set to ALLUSERS==”” (empty string - per user installation context). See this Microsoft article on the ALLUSERS property for more information.
Important
After installation, never delete files from the Windows installer cache, which is in the %windir%installer folder. Deleting files from this folder can cause severe issues with sensor upgrade and uninstall.
The Cybereason platform installs the sensor to the C:Program FilesCybereasonActiveProbe and C:Cybereason Execution Prevention folders.
Depending on whether you select the option to install the sensor with the signatures database or not, the result is different:
Signatures database included (Windows only) |
When you run the installer file, the installer also installs the signatures database file as well as the sensor. You can optionally move the signatures database zip file to a different location (e.g to a shared network drive where it is available for multiple machines). If you do this, you must specify the full path to this file using the AV_SIGNATURE_PATH installation parameter. If this parameter is not specified, the exe and signatures files must be located in the same folder during installation. |
No signatures database |
If you select the installer file without signatures, after you enable Anti-Malware > Signatures mode, the sensor automatically downloads the signatures database (~300 MB) from the NGAV Global or Local Update server. This download happens within 15 minutes of installation and can take several minutes to complete, depending on network speed. While the first time update is in progress, Anti-Malware does not protect the machine. After it completes, the machine is protected, and if the end user hovers over the Cybereason system tray icon, the status Your PC is protected displays. |
After installation, a Cybereason icon appears on the end user’s system tray, and desktop notifications appear if malware is detected/prevented. See System tray icon and notifications for details on how to show/hide the system ray icon and configure notifications.
It is not necessary to perform a reboot after installing the sensor and enabling the Anti-Malware > Signatures mode. When re-installing the sensor after uninstalling it, a reboot my be necessary for the Anti-Malware > Signatures mode to function. If a reboot is necessary, the reboot need is indicated in the System > Sensors screen.
Ongoing signature updates
Sensors automatically retrieve signature updates from the Update server on a frequent basis. By default, signature updates occur every 15 minutes. To change the update frequency, update the value in the Set advanced configuration options section of the Anti-Malware screen in your sensor policy.
To ensure continuous protection for the entire organization, all machines receive updates as follows:
Machines on your network receive signature updates from the NGAV Local Update server (or from the NGAV Global Update server, if no Local Update server exists).
Machines not on your company network receive signature updates from the NGAV Global Update server.
During each signature update, the sensor first attempts to download the update from the NGAV Local update server, if such a server is configured. If this operation fails (because the server address resolution failed or there was an HTTP connection timeout of 30 seconds), the sensor attempts to connect to the NGAV Global update server and downloads the signature updates from there.
Note
Signature updates are not performed on isolated machines, even if a Local update server is used.