cb-agent.exe

What is cb-agent.exe?

cb-agent.exe is the Windows service component of the Carbon Black Cloud Endpoint Agent. It runs continuously in the background to monitor endpoint activity, enforce security policies, collect telemetry, and relay data to the Carbon Black management console. It is a core part of EDR, device control, and threat prevention workflows on Windows endpoints.

cb-agent.exe operates as a Windows service under a SYSTEM account, loading modules for policy checks, event collection, and secure communications via TLS. It coordinates with the Cloud/Server console to receive updates, apply rules, and report detections or health status.

Is cb-agent-exe Safe?

cb-agent.exe is a legitimate, signed component of the VMware Carbon Black Cloud Endpoint Security suite. When installed from the official VMware distribution and kept up to date, it runs as a trusted service that enforces security policies, collects telemetry, and communicates with the management console. Its behavior is controlled by administrator configuration and enterprise policies, and it does not normally execute arbitrary code or load external payloads. If cb-agent.exe appears on a system using the official installer path and matches the published digital signature, it is considered safe.

Is cb-agent-exe a Virus?

cb-agent.exe is not inherently a virus when it originates from the legitimate VMware Carbon Black distribution. However, malware authors may impersonate the filename or relocate a malicious binary to mimic cb-agent.exe. If you notice an unsigned binary, a different directory than the standard install path, or unusual network activity, treat it as suspicious and perform verification checks such as digital signature validation and hash comparison, followed by a malware scan.

How to Verify Legitimacy

1. Check File Location: Verify cb-agent.exe is located under a standard path such as C:\Program Files\VMware Carbon Black\cb-agent.exe or a closely related VMware Carbon Black installation folder. Avoid user-writable or temp directories.
2. Verify Digital Signature: Open file properties and confirm the digital signature is from VMware, Inc. If the signature is missing, expired, or from an unexpected signer, investigate further.
3. Check File Hash: Compute SHA256 of the file (e.g., using certutil -hashfile) and compare against the hashes published by VMware for your exact version from the official knowledge base or customer portal.
4. Scan for Malware: Run a full system malware scan with up-to-date antivirus tools to ensure cb-agent.exe has not been replaced or tampered with by a Trojan or other malware.

Why is it Running?

Reasons it's running:

• Policy enforcement and protection: cb-agent.exe applies security policies configured by the admin, blocking unauthorized software and enforcing least-privilege rules to reduce attack surface.
• Telemetry and health monitoring: The process collects endpoint telemetry (events, process launches, and system health) and reports it to the Carbon Black Cloud for visibility and alerting.
• Threat detection and EDR integration: It participates in endpoint detection and response workflows, correlating local events with cloud-based threat intelligence for rapid detections.
• Policy updates and versioning: cb-agent.exe regularly polls the management console for policy updates, signature updates, and configuration changes to stay current with security rules.
• Device control and compliance: As part of device control features, the agent enforces access rules, USB usage policies, and application whitelisting according to enterprise settings.

Can I Disable or Remove It?

Common Problems

Common Causes & Solutions

• : Check for policy-driven scans or excessive event logging. Update to the latest agent version, review active policies, and consider adjusting scan settings or exclusions as advised by VMware support.
• : Verify system prerequisites, ensure the OS supports the required TLS version, check service dependencies, and review Event Viewer logs. If needed, repair or reinstall the Carbon Black agent from the official installer.
• : Examine the crash logs (CB event logs or Windows Event Viewer). Reinstall the agent to restore a clean binary, and confirm the install path and signature match VMware sources.
• : Allow outbound TCP port 443 to the VMware Carbon Black cloud endpoints or on-premises console, and verify proxy or firewall rules align with VMware documentation.
• : Check that the policy allows trusted applications, apply recommended exclusions to cb-agent.exe and its folder, and ensure the agent is up to date to reflect current whitelisting rules.
• : Force a policy refresh from the management console, verify connectivity, and confirm the agent reports heartbeat correctly. Check for certificate or clock skew issues that prevent updates.

Related Processes