Endpoint Detection and Response (EDR)

Protect your endpoints and unify IT security in one solution.

How Do I Sign Up?

Follow these steps to start recording endpoint activity data:

Step 1

Sign up for a free Armor demo.

Step 2

Log into Armor EDR.

Step 3

Purchase your licenses in the Armor Management Portal (AMP).

Step 4

Install Armor Anywhere and the EDR subagent on the desired machines.

Product Overview

Incident Detection and Incident Response for Hybrid Deployments

Armor's Endpoint Detection and Response (EDR) is an advanced security detection and incident response solution delivering continuous visibility to Security Operations and Incident Response teams across an organization's end user IT estate. EDR can be installed on laptops, desktops, and servers, giving Customers a 360-degree detailed overview of endpoint activity.

EDR provides next-generation endpoint protection, identifying suspicious activities and events, and performing validation on detected threats, along with identifying anomalies and suspicious behavior patterns. The EDR product also provides next-gen anti-virus technologies to prevent malicious executables from firing in your environment.

Features

Continuous Visibility

You can't stop what you can't see.

Investigations that typically take days or weeks can be completed in just minutes. EDR collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into their environments.

Scale the Hunt

Never hunt the same threat twice.

EDR combines custom and cloud-delivered threat intel, automated watchlists and integrations with the rest of your security stack to efficiently scale your hunt across even the largest of enterprises.

Respond Immediately

The days of constantly reimaging are over.

An attacker can compromise your environment in an hour or less. EDR gives you the power to respond and remediate in real time from anywhere in the world. EDR makes it easy to quickly contain threats and repair the damage to keep your business going.

Pricing

Pricing for EDR is per license purchased with an initial minimum of 25 licenses.

EDR Technical Information

Supported Operating Systems

WINDOWS

Currently, Armor is only operating on CB Cloud v3.5.1 for following Windows operating systems:

Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Microsoft Windows 10

We are not supporting Windows 11 at this time.

LINUX

Currently, Armor is only operating on CB Cloud v2.8.0 for following Linux operating systems:

OS	Version
CentOS	7.X 8.X
RHEL	6.X 7.X 8.X
Ubuntu	16.X 18.X 20.X
Amazon	2
Oracle	6.X 7.X
Suses	12 15
Debian	9 10 (untested)

MacOS

Currently, Armor is only operating on CB Cloud v3.5.1 for following Mac operating systems:

macOS High Sierra
macOS Mojave
macOS Catalina
macOS Big Sur
- installation on Big Sur requires special instructions, see documentation

macOS 10.15 (Catalina) devices installed with macOS sensors 3.3.3+ may require a reboot.
macOS 10.13+ devices installed with macOS sensors 3.1+ require new Apple KEXT approval. Unapproved sensors will enter bypass mode.

We are not supporting MacOS 12 Monterrey at this time.

System Requirements

HARDWARE	NETWORK
CPU: 2GHz multi-core RAM: 2GB Disk Space: 500MB +600MB if local scanning is enabled or using ThreatHunter. Network Card: 100/1000 mbps Additionally for Linux systems need 100 MB free space on the /opt partition and 4.1 GB free on the /var partition	TLS: 1.2 or later Minimum Network used during light usage is 1k bytes/sec read/writes each Primary port 443 and fail over port 54443 Firewall or proxy should be configured with a bypass rule to allow outgoing connections over TCP/443 as well as Cb Defense's alternate port TCP/54443.

Configure firewalls or proxies to allow outgoing and incoming connection to the following Destinations without packet inspection. Per link - https://www.dell.com/support/article/en-us/sln319296/vmware-carbon-black-cloud-endpoint-sensor-system-requirements?lang=en

FUNCTION	PRIMARY PORT	BACKUP PORT	DESTINATION
Administration	443	54443	defense-prod05.conferdeploy.net/
Client	443	54443	dev-prod05.conferdeploy.net/
Integration Services (API)	443	54443	api-prod05.conferdeploy.net/
Signature Updates	443	N/A	updates2.cdc.carbonblack.io
Online Certificate Status Protocol	80	N/A	ocsp.godaddy.com
Certificate Revocation List	80	N/A	crl.godaddy.com

Configure TCP/443 and TCP/54443 for the below destinations as well.

BACKEND URL	API URL	SENSOR URL
https://dashboard.confer.net	https://api.confer.net	https://devices.confer.net
https://defense.conferdeploy.net	https://api5.conferdeploy.net	https://dev5.conferdeploy.net
https://defenseprod05.conferdeploy.net	https://apiprod05.conferdeploy.net	https://devprod05.conferdeploy.net
https://defenseeu.conferdeploy.net	https://apiprod06.conferdeploy.net	https://devprod06.conferdeploy.net
https://defenseprodnrt.conferdeploy.net	https://apiprodnrt.conferdeploy.net	https://devprodnrt.conferdeploy.net

Signature URLs:

http://updates2.cdc.carbonblack.io/update2 (TCP/80, default definition update server)
https://updates2.cdc.carbonblack.io/update2 (TCP/443, default definition update server for sensor versions 3.3+)

Third-party certificate validation URLs (sensor version 3.3+: optional but recommended and on by default):

http://ocsp.godaddy.com (TCP/80, Online Certificate Status Protocol [OCSP]) • http://crl.godaddy.com (TCP/80, Certificate Revocation List [CRL])

EDR Features and Supported OS Types

EDR Feature	WINDOWS	LINUX	MAC	LINUX	LINUX	LINUX	LINUX
Agent Installation	Windows 10 20H1 v19041.208	RHEL/CentOS 7.0 - 7.8	macOS 10.15.1 - 10.15.6 (Catalina)	RHEL/CentOS 6.6 - 6.10	Ubuntu 16 & 18	SUSE SLES 12 & 15	Amazon Linux 2
Generate Alerts and Events	Yes	Yes	Yes	Yes	Yes	Yes	No
Policies	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CB Event Forwarder Configuration	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CB Event Forwarder Installation	No	64-bit CentOS 6.x Linux machine	No	Yes	No	No	No
Quarantine/Unquarantine	Yes	No	Yes	No	No	No	No
Enable/Disable Bypass	Yes	No	Yes	No	No	No	Yes
Background Scan	Yes	No	Yes	No	No	No	No
On Demand Scan	Yes	No	No	No	No	No	No
Blocking and Isolation of applications
Known malware	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Application on the company banned list	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Unknown application or process	Yes	No	Yes	No	No	No	No
Adware or PUP	Yes	No	Yes	No	No	No	No
Suspected malware	Yes	No	Yes	No	No	No	No
Not listed application	Yes	No	Yes	No	No	No	No
USB Device Blocking	Yes	No	No	No	No	No	No
Sensor Settings
Allow user to disable protection	Yes	No	Yes	No	No	No	No
Enable private logging level	Yes	No	Yes	No	No	No	No
Run background scan - Standard	Yes	No	Yes	No	No	No	No
Run background scan - Expedited	Yes	No	No	No	No	No	No
Scan files on network drives	Yes	No	Yes	No	No	No	No
Scan execute on network drives	Yes	No	Yes	No	No	No	No
Delay execute for cloud scan	Yes	No	No	No	No	No	No
Hash MD5	Yes	No	Yes	No	No	No	No
Use Windows Security Center	Yes	No	No	No	No	No	No
Sensor UI: Detail message	Yes	No	Yes	No	No	No	No
Submit unknown binaries for analysis	Yes	No	No	No	No	No	No
Auto-delete known malware hashes after	Yes	No	Yes	No	No	No	No
Require code to uninstall sensor	Yes	No	Yes	No	No	No	No
Enable Live Response	Yes	Yes	Yes	Yes	Yes	Yes	Yes

Useful Links

Getting Started

Install and Uninstall

Troubleshooting Guide

FAQs

Armor Toolbox (Agent 3.0)