VMware Carbon Black Endpoint Reviews

CB Defense could be more compatible with Linux, and its cloud provision could be improved.

I've been using CB Defense for two years.

CB Defense is scalable so long as the deployment has been done correctly.

Carbon Black's support team are very slow to answer questions.

The initial setup was fairly easy. Deployment will take one to two weeks, depending on how many endpoints there are.

CB Defense is available on a yearly subscription and is priced by the number of endpoints.

I would recommend CB Defense for users who want an on-prem solution that lets them see the whole process of any event. I would give CB Defense a rating of six out of ten.

Carbon Black is an EDR solution and a Next Generation AV. It works on the basis of machine learning and artificial intelligence. It's used to manage multiple endpoints from a central location and detects alerts on the basis of AI. If we have any custom alerts, they can be triggered or flagged. In that case, we can have a centralized alerting system. It can also be used to isolate, repair, or remediate a machine when it is taken by an attack.

We aren't responsible for managing the infrastructure of this particular tool. We're using it for investigation purposes and to monitor products that are being used by our clients.

It's deployed on a public cloud.

The solution has a library where we can have multiple threat intels onboarded. We just have to subscribe to a particular site intel and they'll provide us with all of the truncated details so that we can create IOCs and alerts on the basis of those IOCs. 

It's one of the best features because there are multiple third-party vendors who can provide us with site intel in one location. You just have to subscribe to them, and they'll start providing you with IOCs. If a new attack starts, you will have all the basic IOCs on that list, which can be used to identify if the same attack is happening in your environment.

We can isolate devices in just two clicks. That's also a great feature. We can remediate and repair devices from a central location. It's not too difficult to use that particular tool. The user interface is very easy to understand. You are not required to roam around the console to find where the alert went. It's easy to resolve that.

When we onboarded Carbon Black, there weren't many EDR solutions available in the market. It was one of the best tools when it was launched. We don't have any complaints with the tool. The tool is very good. It highlights many of the alerts and events.

When you're investigating an alert, you will get a graph and will see the details related to the process that triggered the alert. Below the graph, there are network connections, file modifications, industry modifications, and multiple other activities. If you want to specifically find which additional modification has been performed, you will have to find the log you're searching for. There isn't a search bar to check for file modifications or network connections. In that case, you don't have a search bar, so you have to check each and every event, which could be more than 1,000.

You would have to check 1,000 events manually, or you would have to export sheets to view what you are searching for. If they added a search bar, it would reduce the time it takes to do investigations.

If you want to log into a device, there's a process named winlogon.exe, which is supposed to be initiated. If I'm using Carbon Black, I will have to check where winlogon.exe is being observed or at what time it was being observed. Because there's no search bar, I will have to check for the event in all the device events.

A search bar in the investigation page and some AI-related tasks like outgoing alerts, or recent tactics that are being used in the market, must be embedded in the tool so that it's easier to find alerts. The AI must be stronger so it can identify activity that is actually malicious.

I have used this solution for a year and a half.

It's a stable product.

It's scalable because it's based on the cloud.

It's sensor-based, so you have to install the machine associated with your application. You will have the configuration file and the agent installation file. You'll have to run the configuration file, and then you'll be onboarded to Carbon Black. It's easy.

Deployment was fast. It took 15 minutes.

We have a group of about eight people for maintenance and supervision.

I would rate this solution as eight out of ten.

It's a good tool, but it requires some updates. It doesn't have new features like multi-tactics, which other EDR products are providing.

My advice is to acknowledge or resolve a particular alert because once they resolve, it will be very difficult for you to find that alert. Handle it with care because with just a click, the device will be isolated. It could be a server, host, or network device. If you click the wrong button out of curiosity, it will destroy the machine. It has multiple accesses and won't ask if you're sure if you want to do an activity or not.

We primarily use this product to provide threat intelligence to our SOC about our endpoints.

One of the most valuable features is that it will block vulnerable sites. If there was a connection between one of our devices to a known malware site, it will block it. Then also alerts our SOC.

This product should be cheaper.

I have been working with Carbon Black CB Defense for three years.

Stability-wise, it is good.

I am satisfied with the scalability. We use it across the company and all of the users have it on their laptops. It's a mixture of IT people, finance, doctors, lawyers, dentists, and other professional services. It's a wide range of people and there are about 180 in total.

The technical support is okay.

We also use Sophos Intercept X in our business.

CB Defense is pretty straightforward to set up.

The implementation was done by my own team.

This is a really expensive product and we pay licensing fees on a yearly basis. The subscription includes technical support.

I would rate this solution a nine out of ten.

We use this solution as our endpoint security system. The solution is cloud-based.

The solution is very useful and easy to handle. You don't need much intervention with this product.

The client performance could be improved. When you install it in the client, the performance gets a bit disturbed.

In the user interface, the user needs to have more visibility regarding what's happening because it gives you a very simple client for the user. It doesn't give a full output for the user. It would be great if that could be improved.

I have been using this solution for more than four years. We are working with the latest version.

The solution is really stable. 

It is scalable.

The local technical support is very poor, but the support from headquarters is very nice.

For the local technical support, I would rather rate it at one, even zero, out of five. I would rate the global support at three or four out of five.

We previously used Kaspersky, and we switched to Carbon Black because it's a cloud-based application. It also requires minimum handling and basically runs on its own when you set the policy, so it's very easy.

The solution is a bit complex. Deployment took around six months.

The partners helped us. 

The license is annual. It's a standard license.

I would rate this solution 7 out of 10 because of the support.

The product is very smooth and pretty simple. I like it, and anyone can use it. My advice is to be careful about the partners when you're selecting. 

Carbon Black CB Defense is a multi-purpose solution. We can use it for XDR ADF. This way, if someone is trying to attack one's end point, in which there is a script such as PowerShell, but without a signature, the solution will be aware of such an attack and respond accordingly. It will detect the behavior and respond to the SOC.

The solution will prevent communication of one compromised device with another. 

In the month-long evaluation of the solution that we conducted, we found the POC to not be helpful, owing to the issue the client encountered with the platform, the operating system, which did not lend adequate support. 

While we paid for both on-cloud and on-premises deployment, the issue is not with the entrepreneur's upload, but with the end point. 

And do you have already some customers regarding Carbon Black?

Syed Faisal:
No, even Carbon Black, everyone has this solution for Windows IoT and Linux environment. But this is something called the product called Dell. This is a Dell based, [inaudible 00:02:31]. More or less the Dell [inaudible 00:02:33] which is running Dell customer OS, [inaudible 00:02:39]. But unfortunately we cannot install the agent on it.

The licensing price is a bit expensive when compared with other solutions. 

We've been using Carbon Black CB Defense for just a month. 

The solution is scalable. 

The solution is stable and the policy can be configured with flexibility. The solution comes with its own pre-built standard policy. Yet, we can write our own, which means the solution serves us going forward. 

The tech support is mostly okay. 

The solution is very easy to install.

Full deployment takes no more than an hour. 

Installation can be done on one's own. 

The licensing is a bit pricier than other solutions. 

We pay for the license annually. 

While I do not know the exact number of customers making use of the solution, my understanding is that most of the MNC, multinational companies, and the majority of the banking sector are doing so. 

I would recommend the solution to others.

I rate Carbon Black CB Defense as a nine out of ten.

We primarily use the solution for operations and also security. On the security front, we have a specific project that's ongoing right now. We are moving away from the on-prem Carbon Black to the cloud one. 

We primarily use the solution for endpoint protection.

The protection of the user machines has been great. For example, if a laptop gets stolen, or let's say, an employee gets let go, the product provides us with the ability to actually lock people out of the network and handle remote wipes and stuff like that.

The initial setup is very easy.

The on-prem one was very problematic, especially version 7.2, which did not play nice with Symantec at all. The last upgrade of the client actually triggered a block to the networking, to our active directory domain controllers.

There was a bug that we found was in Macs. It was triggering false positives as it wasn't able to figure out the right parent upon login. With the Carbon Black Cloud, we just got it two to three weeks ago. So far, I haven't seen any false positives. The cloud seems to be a much better product. 

With the on-prem one, the bug has been reported by the community in early January or February, something like that, at the beginning of the year, and it's still not addressed. They have released two versions since then, and yet neither of them addresses this specific issue.

I need more time to explore the cloud deployment, as we've only had it for three weeks at this point. 

It's been at least four years since we started using the solution. Four or five years.

We started with the on-prem one and now we're in yet another project with a cloud deployment.

While the on-prem has some bugs we have been dealing with, so far, after using the could for three weeks, it's like night and day. It's been very stable. There are no bugs or glitches.

I'm not aware of the scalability capabilities yet, as I don't have the entire company on it yet. We are still in testing mode. We just got the cloud deployment three weeks ago. So I can't really answer that truthfully.

Right now, we have seven people on the solution currently.

We haven't yet used the technical support. I can't speak to how helpful or responsive they would be.

That said, we did use technical support when we were on the on-premises version, and they were terrible. We would ask for bug fixes and new versions would come and yet they would not actually fix the problems that were highlighted.

We also use Red Cloak, which is a completely different prody=uct and something that we still use. 

The initial setup is very simple. The cloud version in particular is very simple. It's not overly complex or difficult.

I'm not dealing with the pricing. I can't speak to the costs involved.

There are two versions of Carbon Black that VMware has, one of them is the on-prem one and the endpoint clients are in the user machines and servers, so AWS and data center and VSS.

I'd advise those interested in the solution to go with the cloud deployment model. We've had a lot of issues with the on-premises version.

I'd rate the solution at a seven out of ten. There seems to be quite a disparity between the cloud and on-premises versions. 

The product is an endpoint security product. It's kind of like a replacement for a traditional antivirus.

One of the strong features of the product is its endpoint visibility. It gives you more visibility than a traditional antivirus would give you.

The visibility provided has been great.

The ease of deployment is definitely a great selling feature.

The stability is good and the product is pretty lightweight.

The solution scales well.

The reporting could be improved. Some of the built-in reporting isn't ideal. They have an API and everything you need that you can kind of hook into the product pretty easily, however, it'd be nice to have some built-in reports instead of having to seek them elsewhere.

The solution needs expanded endpoint query tools.

I've been using the solution for about a year.

The stability of the solution is good. There are no bugs or glitches. It doesn't crash or freeze. It seems to be a little bit lighter on resources than our previous antivirus.

The product can be scaled pretty high. We have about 3000 sensors deployed. However, it can go a lot higher than that. It depends on your internet connection for the reporting or the information, basically.

We have kind of a desktop security team that is about five individuals that administer the product part-time, and that can access the console. A couple of them are the ones that spend the most time in it.

We use the solution extensively and we may look at expanding the EDR  - stepping up to one of the other products and adding capabilities. Therefore, we're likely to increase usage in some form in the future.

Technical support needs some improvement. They don't seem to respond so well to technical help. The good thing is we don't need that much, however, they need to probably improve that a little bit for others who might require more assistance.

We had McAfee antivirus and it was difficult to tune the policy without compromising security, I would say. Its footprint was a little high. Its performance wasn't that great in terms of end-point performance.

The solution is easy to deploy. The implementation process is simple. It's not overly complex or difficult. 

While the rollout is pretty easy, you have to kind of tune it a little bit for applications as it discovers them.

To deploy a sensor, it takes just a couple of minutes or so. Then, to kind of tune the policy itself, you are probably looking at a couple of weeks.

Initially, we use the services provided by the vendor, like an on-ramp kind of service. They were great. The team was pretty helpful. 

We pay about $15 a node. It's just a standard licensing fee and that's it.

I'm just a customer and an end-user.

I've been using the latest version of the solution.

The sensors are on-premises, however, the console is in the cloud. It's a VMware product that runs on Amazon.

I'd advise those considering the solution to seek out some of the training to see if you can get it bundled in with the deployment. The more advanced training, to kind of how to tune the policy and stuff like that, would be helpful to have.

I'd rate the solution at an eight out of ten as there's still room for improvement in things like reporting. However, the impact on performance and the ability to have greater visibility were pluses in my book.

The solution is  deployed in our computers in the company. However, I can't speak to the use cases, as I'm still quite new to the company.

After we apply some policies we will receive, for example, alerts. We'll look at the devices that have given us alerts and we'll look to see if there is an issue. Then we can prioritize the issues into high and low categories.

We try to know what is a malicious file or malicious application and we can investigate what's happening according to the alerts in Carbon Black. Many times we've found that our policies avoid false positives. That said, sometimes, we have false positives and we get many alerts. We're working with this in Carbon Black.

Carbon black is basically blocking my application. I cannot open files and I cannot install software without it passing the policies. Not just any application can be installed on our computers. They need to be pre-approved. If we need to, however, we can manually bypass to finish an installation.

The solution allows you to override it and manually install an application if you need it ti.

It's very good at alerting you to malicious content or unauthorized software. 

We can access computers remotely if we need to.

Sometimes the solution blocks items that were previously approved and we don't know why.

It is sometimes hard when I attempt to investigate, to know the commands. It's not easy to do that. You need to upload the right information.

Occasionally, when we get alerts, we don't get all the information we need, such as the computer's serial number.

If I reveal an alert in a new window, I need to go back to the main link as it doesn't work.

Sometimes we need to close the solution and then open it up again.

Occasionally, we'll have issues with the latest version and they'll basically tell us that they will improve it in the next iteration. They need to work on their version release quality.

It would be good to have more information about the devices. If you get an alert that a malicious file is on your computer, Carbon Black really doesn't give you the full picture. We also need to wait for the user who owns the computer to be online before we can investigate everything. It's hard when you are working across time zones.

I started using the solution two weeks ago. I don't have a lot of experience with it just yet.

The stability could be better. It changes from version to version and from day to day. Sometimes it works perfectly, and sometimes there are issues and we need to close it and re-open the application.

We do have a person at Carbon Black that, if we have issues, we can reach out to. We let them know when we are having problems and they try to assist. I can't recall if it's email or some other type of internal support system that we go through.

Sometimes they have answers for us, and sometimes we have to wait for a new version. There's no guarantee our problems will be fixed immediately.

By the time I joined the company, the solution was already deployed. I was not part of the implementation process. I can't speak to how easy or difficult the solution is to implement.

We have deployed different versions of the solution. At this moment we have 3.5 or we have, for example, for Windows we have 3.1. We deploy it to many computers and in different countries. You need to upgrade or maybe you need to downgrade, depending on the device it's attached to. For example, we have many servers including 2016 and 2019 versions, and then we have different versions of Windows.

When we decide to deploy a new version we deploy it throughout the region. We have been in America, Asia, and Europe. 

I'd advise other potential users that, like any solution, you need to know how to use it, you need to know how to implement, and you need to know how to do the best configuration and update that configuration. If you don't have a good configuration on any application, it will work not for you.

In general, the solution is good. I would rate it at an eight out of ten.