VMware Carbon Black Endpoint Reviews

We have a dedicated team using this solution. They create incidents, escalate the incidents, and then respond to the events detected by the EDR.

The best feature of this solution is that we have a live response, which is really tailored to our needs. 

There is no option for the solution to block automatically based on behavior. First, the solution needs a lot of time to record all the behaviors. Then, we manually have to create a behavior analysis rule to detect any malicious activity. The solution would be improved and be more effective if there was a way for this process to be done automatically.

We have been using this solution for six to seven months. 

The solution is not always ideal, but it is pretty stable. We did face a few issues, in the response feature for example, but they were resolved.

At this point we have not encountered any issues with scalability, but time will tell how much scaling is feasible for us.

The customer support is average. At times I feel like they should have responded to us immediately because we had some issues that needed an immediate reply, but their response was a bit slow. However, overall, they're good and the support is acceptable.

It was not easy and we faced challenges, but it was okay. We're also dealing with an issue involving multiple unsupported OS's because we have so many Linux products in our infrastructure. I would rate the initial setup as a three out of five, with one being difficult and five being easy.

This is a good solution, but there are a lot of improvements needed. I am overseeing the project part of the solution, not the deep technical side. As far as my knowledge is concerned, it's an easy-to-use solution and it has many good features, but it also has many features that require improvement. I would rate the solution as a six out of ten. 

I know they have different forms in their Carbon Black Endpoint now, but we were using Carbon Black Prevent, which was basically just a pure whitelisting product. We didn't look at the other kinds of things that it was doing.

We were basically just using it for, "If Carbon Black picks up a new file in the machine and it's executable or something and it hasn't seen it before, it has to be whitelisted first. It has to be approved before it's allowed to run." That's what we're using it for.

We were technically one and a half versions behind the current version which is out there right now.

The solution is deployed on-prem.

We have cut back the amount of users. At one point, we had about 1,500 or 2,000 users. We're down to about 750 right now.

The solution just gave us another layer of protection from zero-day threats, because you can't always trust what your users are doing. You just have to do what you can technically to try to mitigate that.

I'm on the security department, so it's just in the layer of our prevention to give us protections against, for example, ransomware that might kick off and try to execute different files. If someone downloads something or whatever, it has to be whitelisted first. It has to be approved before it can run it all.

That's better to me than some signature-based thing, because it protects against zero-day. There are things that it doesn't know about, so it has to check them. We have Check Point now as well, but we have a Check Point on our firewalls, not our endpoints.

We have another piece of that infrastructure that does what they call threat emulation. You may have heard of it. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing.

It's also a zero-day type of prevention thing, but it kicks them off in a safe environment so that you can see what it's doing. You need integration with Check Point to do that, but that integration went away with the latest release, the one we just put out there.

That was a big part of why we liked Carbon Black, because it is integration to not only do the whitelisting, but also we could have automatic rules set up so that if a new file got downloaded by a user, we could automatically send that over to Check Point and it could do its emulation on it in the sandbox. And if it came back clean, then we could automatically approve it.

We wouldn't have to go through a manual process of having our people approve every single file that comes across as having been seen before. So, it was a really good way to work those two products together. But that went away. And so now I'm like, "Okay, what are we going to do now?" I hadn't looked at the Harmony Endpoint at all.

I haven't looked at Check Point's piece, but I was wondering to myself, "If it does something like Carbon Black was doing and then we already have Check Point on the other one, that would work." So, that was what I was trying to do.

There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence. Maybe you didn't see something within Carbon Black's sphere of what it knows, within their product line or their threat cloud or whatever they use for their intelligence. Maybe it didn't see anything of the files that it knows about, but what about somebody else's? And what about kicking into another product that does those kinds of things like sandboxing?

I don't know why they would take that away. That doesn't make sense to me because they need to expand on that. The more they expand on that, the more confidence you have as a security guy. You have more confidence that that file is clean, and there's nothing bad about it. Bringing back the integration with Check Point would be a good start.

This product is being used extensively in our organization. I'm actually looking for a replacement because of the fact that we lost that integration. That's really crucial, honestly. Otherwise, it becomes much more manpower-intensive. I need to spend more man-hours going through it instead of using automations.

I prefer to set up things so my team doesn't have to spend a huge amount of time running down rabbit trails all the time. The more we can automate and still be secure about it, that is what we try to do.

There are no additional features I would like to see added. I know they already have a cloud offering as well. You can manage things through their cloud for people that are always on-site. We mostly just use it for our own managed devices. We didn't really put it on. We never planned and don't plan to put it on or make it available to a BYOD kind of thing. This is all company-managed devices.

It just made more sense for us to do it internally than putting it in the cloud. But we could have done either one, I suppose. But since we started out inside, we just kept it that way. It was just easier.

I have been using this solution for five years.

It's stable.

The solution is scalable. We have never had an issue.

I would rate technical support 5 out of 5.

We did a proof of a couple different products, but we chose CB. And we've been with them since, because they do a good job. They've been pretty easy to manage, and they've had good support. So, we've actually been really happy with them.

It was pretty straightforward. It took some time to roll out. We wanted to eventually get to a point where we are now, which was to totally block everything we don't know about. But that didn't come out of the box. You had to let things run for a while.

It did a good job of reporting things, but not blocking so we could go through there and say, "Okay, these are legitimate files. Or these files were signed with these certificates from these vendors that we can trust," for example. We spent six or eight months going through everything before we actually turned it into full blocking mode. As far as initial rollout, it was fairly simple, and it's been fairly easy to upgrade the agents.

We ran into some issues with some of the MSIs and things or some systems when we tried to update some things and it broke. I'd probably rate the setup a four out of five.

We do deployment slowly and in phases. We could have deployed it pretty fast, actually. But it took us about three months to deploy everything because we wanted to make sure we had test groups of machines that we put into each department or each part of the organization, because they do different things. We didn't want to inadvertently start breaking certain things. So, we took our time pulling it out. But I think, essentially, it could have been deployed in probably a few weeks at the most.

We have a team of about five people who take care of maintenance.

We implemented it through an in-house team.

The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade.

I would rate this solution 8 out of 10. 

I'd say, "go for it" if you don't have or need Check Point for an integration. But if you're relying on that kind of integration, if you really need that like we did, then of course I wouldn't go that route.

If I were to make a recommendation to somebody else just starting out, my advice is to check out the cloud first.

We use this solution as our endpoint security system. The solution is cloud-based.

The solution is very useful and easy to handle. You don't need much intervention with this product.

The client performance could be improved. When you install it in the client, the performance gets a bit disturbed.

In the user interface, the user needs to have more visibility regarding what's happening because it gives you a very simple client for the user. It doesn't give a full output for the user. It would be great if that could be improved.

I have been using this solution for more than four years. We are working with the latest version.

The solution is really stable. 

It is scalable.

The local technical support is very poor, but the support from headquarters is very nice.

For the local technical support, I would rather rate it at one, even zero, out of five. I would rate the global support at three or four out of five.

We previously used Kaspersky, and we switched to Carbon Black because it's a cloud-based application. It also requires minimum handling and basically runs on its own when you set the policy, so it's very easy.

The solution is a bit complex. Deployment took around six months.

The partners helped us. 

The license is annual. It's a standard license.

I would rate this solution 7 out of 10 because of the support.

The product is very smooth and pretty simple. I like it, and anyone can use it. My advice is to be careful about the partners when you're selecting. 

Carbon Black CB Defense is a multi-purpose solution. We can use it for XDR ADF. This way, if someone is trying to attack one's end point, in which there is a script such as PowerShell, but without a signature, the solution will be aware of such an attack and respond accordingly. It will detect the behavior and respond to the SOC.

The solution will prevent communication of one compromised device with another. 

In the month-long evaluation of the solution that we conducted, we found the POC to not be helpful, owing to the issue the client encountered with the platform, the operating system, which did not lend adequate support. 

While we paid for both on-cloud and on-premises deployment, the issue is not with the entrepreneur's upload, but with the end point. 

And do you have already some customers regarding Carbon Black?

Syed Faisal:
No, even Carbon Black, everyone has this solution for Windows IoT and Linux environment. But this is something called the product called Dell. This is a Dell based, [inaudible 00:02:31]. More or less the Dell [inaudible 00:02:33] which is running Dell customer OS, [inaudible 00:02:39]. But unfortunately we cannot install the agent on it.

The licensing price is a bit expensive when compared with other solutions. 

We've been using Carbon Black CB Defense for just a month. 

The solution is scalable. 

The solution is stable and the policy can be configured with flexibility. The solution comes with its own pre-built standard policy. Yet, we can write our own, which means the solution serves us going forward. 

The tech support is mostly okay. 

The solution is very easy to install.

Full deployment takes no more than an hour. 

Installation can be done on one's own. 

The licensing is a bit pricier than other solutions. 

We pay for the license annually. 

While I do not know the exact number of customers making use of the solution, my understanding is that most of the MNC, multinational companies, and the majority of the banking sector are doing so. 

I would recommend the solution to others.

I rate Carbon Black CB Defense as a nine out of ten.

We primarily use the solution for operations and also security. On the security front, we have a specific project that's ongoing right now. We are moving away from the on-prem Carbon Black to the cloud one. 

We primarily use the solution for endpoint protection.

The protection of the user machines has been great. For example, if a laptop gets stolen, or let's say, an employee gets let go, the product provides us with the ability to actually lock people out of the network and handle remote wipes and stuff like that.

The initial setup is very easy.

The on-prem one was very problematic, especially version 7.2, which did not play nice with Symantec at all. The last upgrade of the client actually triggered a block to the networking, to our active directory domain controllers.

There was a bug that we found was in Macs. It was triggering false positives as it wasn't able to figure out the right parent upon login. With the Carbon Black Cloud, we just got it two to three weeks ago. So far, I haven't seen any false positives. The cloud seems to be a much better product. 

With the on-prem one, the bug has been reported by the community in early January or February, something like that, at the beginning of the year, and it's still not addressed. They have released two versions since then, and yet neither of them addresses this specific issue.

I need more time to explore the cloud deployment, as we've only had it for three weeks at this point. 

It's been at least four years since we started using the solution. Four or five years.

We started with the on-prem one and now we're in yet another project with a cloud deployment.

While the on-prem has some bugs we have been dealing with, so far, after using the could for three weeks, it's like night and day. It's been very stable. There are no bugs or glitches.

I'm not aware of the scalability capabilities yet, as I don't have the entire company on it yet. We are still in testing mode. We just got the cloud deployment three weeks ago. So I can't really answer that truthfully.

Right now, we have seven people on the solution currently.

We haven't yet used the technical support. I can't speak to how helpful or responsive they would be.

That said, we did use technical support when we were on the on-premises version, and they were terrible. We would ask for bug fixes and new versions would come and yet they would not actually fix the problems that were highlighted.

We also use Red Cloak, which is a completely different prody=uct and something that we still use. 

The initial setup is very simple. The cloud version in particular is very simple. It's not overly complex or difficult.

I'm not dealing with the pricing. I can't speak to the costs involved.

There are two versions of Carbon Black that VMware has, one of them is the on-prem one and the endpoint clients are in the user machines and servers, so AWS and data center and VSS.

I'd advise those interested in the solution to go with the cloud deployment model. We've had a lot of issues with the on-premises version.

I'd rate the solution at a seven out of ten. There seems to be quite a disparity between the cloud and on-premises versions. 

The product is an endpoint security product. It's kind of like a replacement for a traditional antivirus.

One of the strong features of the product is its endpoint visibility. It gives you more visibility than a traditional antivirus would give you.

The visibility provided has been great.

The ease of deployment is definitely a great selling feature.

The stability is good and the product is pretty lightweight.

The solution scales well.

The reporting could be improved. Some of the built-in reporting isn't ideal. They have an API and everything you need that you can kind of hook into the product pretty easily, however, it'd be nice to have some built-in reports instead of having to seek them elsewhere.

The solution needs expanded endpoint query tools.

I've been using the solution for about a year.

The stability of the solution is good. There are no bugs or glitches. It doesn't crash or freeze. It seems to be a little bit lighter on resources than our previous antivirus.

The product can be scaled pretty high. We have about 3000 sensors deployed. However, it can go a lot higher than that. It depends on your internet connection for the reporting or the information, basically.

We have kind of a desktop security team that is about five individuals that administer the product part-time, and that can access the console. A couple of them are the ones that spend the most time in it.

We use the solution extensively and we may look at expanding the EDR  - stepping up to one of the other products and adding capabilities. Therefore, we're likely to increase usage in some form in the future.

Technical support needs some improvement. They don't seem to respond so well to technical help. The good thing is we don't need that much, however, they need to probably improve that a little bit for others who might require more assistance.

We had McAfee antivirus and it was difficult to tune the policy without compromising security, I would say. Its footprint was a little high. Its performance wasn't that great in terms of end-point performance.

The solution is easy to deploy. The implementation process is simple. It's not overly complex or difficult. 

While the rollout is pretty easy, you have to kind of tune it a little bit for applications as it discovers them.

To deploy a sensor, it takes just a couple of minutes or so. Then, to kind of tune the policy itself, you are probably looking at a couple of weeks.

Initially, we use the services provided by the vendor, like an on-ramp kind of service. They were great. The team was pretty helpful. 

We pay about $15 a node. It's just a standard licensing fee and that's it.

I'm just a customer and an end-user.

I've been using the latest version of the solution.

The sensors are on-premises, however, the console is in the cloud. It's a VMware product that runs on Amazon.

I'd advise those considering the solution to seek out some of the training to see if you can get it bundled in with the deployment. The more advanced training, to kind of how to tune the policy and stuff like that, would be helpful to have.

I'd rate the solution at an eight out of ten as there's still room for improvement in things like reporting. However, the impact on performance and the ability to have greater visibility were pluses in my book.

The solution is  deployed in our computers in the company. However, I can't speak to the use cases, as I'm still quite new to the company.

After we apply some policies we will receive, for example, alerts. We'll look at the devices that have given us alerts and we'll look to see if there is an issue. Then we can prioritize the issues into high and low categories.

We try to know what is a malicious file or malicious application and we can investigate what's happening according to the alerts in Carbon Black. Many times we've found that our policies avoid false positives. That said, sometimes, we have false positives and we get many alerts. We're working with this in Carbon Black.

Carbon black is basically blocking my application. I cannot open files and I cannot install software without it passing the policies. Not just any application can be installed on our computers. They need to be pre-approved. If we need to, however, we can manually bypass to finish an installation.

The solution allows you to override it and manually install an application if you need it ti.

It's very good at alerting you to malicious content or unauthorized software. 

We can access computers remotely if we need to.

Sometimes the solution blocks items that were previously approved and we don't know why.

It is sometimes hard when I attempt to investigate, to know the commands. It's not easy to do that. You need to upload the right information.

Occasionally, when we get alerts, we don't get all the information we need, such as the computer's serial number.

If I reveal an alert in a new window, I need to go back to the main link as it doesn't work.

Sometimes we need to close the solution and then open it up again.

Occasionally, we'll have issues with the latest version and they'll basically tell us that they will improve it in the next iteration. They need to work on their version release quality.

It would be good to have more information about the devices. If you get an alert that a malicious file is on your computer, Carbon Black really doesn't give you the full picture. We also need to wait for the user who owns the computer to be online before we can investigate everything. It's hard when you are working across time zones.

I started using the solution two weeks ago. I don't have a lot of experience with it just yet.

The stability could be better. It changes from version to version and from day to day. Sometimes it works perfectly, and sometimes there are issues and we need to close it and re-open the application.

We do have a person at Carbon Black that, if we have issues, we can reach out to. We let them know when we are having problems and they try to assist. I can't recall if it's email or some other type of internal support system that we go through.

Sometimes they have answers for us, and sometimes we have to wait for a new version. There's no guarantee our problems will be fixed immediately.

By the time I joined the company, the solution was already deployed. I was not part of the implementation process. I can't speak to how easy or difficult the solution is to implement.

We have deployed different versions of the solution. At this moment we have 3.5 or we have, for example, for Windows we have 3.1. We deploy it to many computers and in different countries. You need to upgrade or maybe you need to downgrade, depending on the device it's attached to. For example, we have many servers including 2016 and 2019 versions, and then we have different versions of Windows.

When we decide to deploy a new version we deploy it throughout the region. We have been in America, Asia, and Europe. 

I'd advise other potential users that, like any solution, you need to know how to use it, you need to know how to implement, and you need to know how to do the best configuration and update that configuration. If you don't have a good configuration on any application, it will work not for you.

In general, the solution is good. I would rate it at an eight out of ten.

Some of my client's use cases are typical endpoint protection, telemetry, and threat hunting. We are using all three of the most popular services that point back to the cloud central console.

Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components. If I want to know which file is being utilized and what sub-files it is calling, the visualization given is very helpful.

I would like to see them continue to run some of the AI-type comparisons. I know everyone is really secretive about what they do and what they have engineered, but I think Cylance was a good market disruptor years ago with their approach. Now we see SentinelOne and everyone is approaching that piece of the puzzle similarly now. I just would like to see more of a comparison. We have done our own technical comparison but it is fairly expensive. All solutions have pros and cons, if more third-party organizations or teams could evaluate how each product works in pros and cons many people would benefit.

This solution could have greater granular control on how certain applications work. You are able to do the operation of allowing or disallow, or you can block unusual usage of an application, but they do not define it well. 

The PowerShell is being called in any way that the threat actor might use it versus an administrator. You are in a way taking this solutions' best guess at it or their understanding of it. They do not clearly tell you in technical terms how they make that determination. They should be more forthright about it, or if they can not tell us, they should just give us the control to make those selections. We are choosing it because at least we have that control where we do not have that same amount of control with other solutions like Cylance. However, they are still not telling us precisely what constitutes suspicious behavior, what actions, or what calls. It is a check box to say, lock if we have inappropriate use, or block if we have suspicious behavior. It would be helpful to tell us what that actually meant.

In the future, I would like to see more granular control of PowerShell and more administrative tools.

I have been using the solution for approximately six months.

The stability of the solution has been good. I like the fact that their call home is a single port, 443, a well-known port with a backup port, 54443. Their architecture, that way is easy for network admin to understand and open up and passing firewalls. In contrast with ATP, ATP has a lot of port requirements, It is much more complex and easy to misunderstand ATP communications until you really dig hard to see how does it work. This solution is much simpler that way. Additionally, performance-wise, user agents seem to hover around 1%-2%, it is fairly efficient and lightweight.

The scalability of the solution has been good. We implemented a couple of large POCs. We have some clients and colleagues that are running it at scale, with more than 5,000 endpoints with great success. We are pleased overall. Most of our clients are mid-cap or small enterprises.

I have found the solution support has been strong. 

I would rate the support of Carbon Black CB Defense a seven out of ten.

Companies need to work on the timeliness of support. Getting directed to a strong enough, experienced enough technical person sooner is important. That just is not the way support is currently built. Usually, they start at tier one and move up. I am sure there are a lot of customers that call in support with simpler questions that you do not want to tie up a tier-three person's time. However, I do not think my request for support to improve is not unique to this solution. 

We have a very knowledgeable technical team. When we call for support we are wanting to interact with tier two or tier three right away. It is frustrating to have to work through the tiers to get where we want to go.

We previously used Cylance and we are coming off of a direct comparison of the two. In the current version of this solution, they have a stronger AI version or component. The overall general quality of the breadth of the solution is better. To receive the same functionality in Cylance, we needed to add the CylanceOPTICS product and we have not had great success with it.

What I do not like about Cylance is it is very binary. You either allow AST to be a 56-bit hash or you do not. I think there is room for more granular control, which we now receive by using this solution.

Overall this solution is better than Cylance.

The initial setup has been straightforward. I think their user interfaces in mature and understandable, they did a good job in it. I would not say any end-point solution is simple, but I think it is more intuitive than many of them.

My advice to others is to take advantage of the POC and work with your POC rigorously. I think we have good responses on the POC as they get closer and closer to wanting to close. We were able to get stronger and stronger and more timely support. It is a good program and they are very fair about it. In any EDR, I would test them heavily and do not rely on marketing.

When applying an overall rating to this solution I do not think there are any tens in the marketplace. We very pleased and we evaluate this every year or two. In our POC, we had 200 samples including ones that were available but not as popular and we received a 100% efficacy. We were very pleased with the results.

I rate Carbon Black CB Defense an eight out of ten.