Introduction to Carbon Black Workload

Updated on

VMware Carbon Black Workload Protection provides vulnerability assessment and inventory management for workloads hosted on vSphere. The Carbon Black Workload vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native VMware vCenter administration client. 

Carbon Black Workload is offered in different packages to suit your organization’s needs

Prevention and threat hunting capabilities can be extended beyond vSphere workloads to your endpoints (desktops, laptops, servers, VMs, etc.).

To learn more about all VMware Carbon Black Cloud products please visit VMware Carbon Black TechZone here.


Before you Begin

In order to complete this product walkthrough please make sure you have the following:

  • A valid account in the VMware TestDrive environment, sign up here if you do not have one.
  • TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172
  • A Horizon Client installed on your machine.

Section 1: Accessing the TestDrive Experience

To log in to the vSphere environment, perform the following steps.

1.1 Accessing Environment

Open a web browser of your choice and navigate to LOG IN.

If you do not already have an account please reference the instructions found here.

Enter your TestDrive Username and Password and select ENTER.

When logged in to the TestDrive Portal, click on the Networking and Security tab.

Next, locate the VMware Carbon Black Workload product and click LAUNCH.


A new tab will open with Workspace ONE. Enter your TestDrive username and password, then hit Sign In.

Next, search for the Carbon Black Cloud desktop. Click to open into the desktop either via HTML access or Horizon Client access.

Now you'll be on the Carbon Black Cloud desktop. At this point, you can begin the walkthrough steps listed below.

Section 2: Introduction to VMware Carbon Black Workload (CBWL)

Carbon Black Workload provides vulnerability assessment and inventory management for workloads hosted on VMware vSphere. The Carbon Black Workload vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native vCenter administration client. Workload protection capabilities are fully integrated into the world’s leading cloud management platform for complete data center visibility and protection. The solution combines vSphere and VMware Carbon Black in a purpose-built, operationally simple solution with minimal overhead and performance impact.

VMware Carbon Black Workload is the only vSphere vCenter workload protection platform for enterprise virtualization and security teams that delivers the most secure virtual infrastructure, while also providing the same visibility and capabilities within the public cloud as well.

The CBWL solution reduces the attack surface by giving Infrastructure, DevOps, and Security teams visibility into the operating system and application vulnerabilities right from within the vCenter Management plane as well as within the Carbon Black Cloud Management Console.

2.1 VMware Carbon Black Workload Architecture

A Carbon Black plug-in within vCenter allows for a shared truth on vulnerabilities and risk for those residing in vSphere/infrastructure as well as team members more focused on security or the Carbon Black Cloud console. Through this unique approach, we can eliminate the trade-off between security and operational simplicity by providing a single source of truth for Infrastructure and Security teams to accelerate response to critical vulnerabilities and attacks, while enabling collaboration and reducing friction. The Carbon Black Workload Plug-in provides deep visibility into your data center inventory and end-to-end life-cycle management for the components.

VMware Carbon Black Workload contains two components that are integrated into vCenter:

  • Carbon Black Workload Plug-in in vCenter
  • Carbon Black Workload Appliance

For further information on the solution architecture reference the following resource: https://carbonblack.vmware.com/resource/carbon-black-cloud-workload-protection-architecture

2.2 Installation Walkthrough

For purposes of this lab experience, Carbon Black Workload is already installed and configured. For information on installing and configuring CBWL in under 15 minutes see the following video:

For a guided lab on installing and configuring the CWP appliance see Module 2 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212

Section 3: Walkthrough of vSphere with the VMware Carbon Black Workload Plug-in

The following section details the basics of accessing and using the Carbon Black Workload Plug-In in vSphere. The Carbon Black Workload Plug-in for vSphere integrates Carbon Black security capabilities directly in the vSphere Client.

3.1 Accessing the VMware Carbon Black Workload Plug-in

On the desktop, launch on the shortcut named “vCenter Server”.

Log in with the following credentials:

  • Username:  (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)
  • Password:  (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)

Once logged in, to view the Carbon Black Workload Plug-in, click Menu at the top left to expose menu options. Then select the Carbon Black icon in the drop-down menu.

Note: If you receive the error "Unable to fetch appliance details, please contact the administrator", hit the browser refresh button.

3.2 Carbon Black Workload Plug-in Navigation
Summary Tab

On accessing the plug-in you will be brought to the Summary, or "Dashboard", tab. The Carbon Black Workload Plug-in Summary tab contains widgets on appliance health, inventory status, and critical vulnerabilities:


  • Appliance Health: The Workload appliance facilitates communication between your vSphere environment and the Carbon Black Cloud. Appliance Health displays the status of the workload appliance. For more information on appliance status see the following page: https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-66E2A35A-4754-43F6-A5AD-C611D35EDD44.html 
  • Inventory Status: Inventory management for workloads; shows the coverage of Carbon Black through vSphere environment (is Carbon Black enabled, if there are updates to Carbon Black agent available, are assets eligible for Carbon Black, assets unsupported by Carbon Black, etc.) 
  • Affected Assets: Displays how many assets are affected by vulnerabilities, broken down by OS 
  • Critical Product Vulnerabilities: Displays how many critical vulnerabilities are present in the environment by vulnerability type (Windows OS, Windows App, Linux OS, Linux App) 
Vulnerabilities Tab

The Vulnerabilities page displays vulnerabilities present in your vSphere environment. Click "Vulnerabilities" to navigate the vulnerability page.

An overview of vulnerabilities is shown at the top of the page - including filters based on vulnerability severity. Severity scoring allows for administrators to understand and mitigate risks in a prioritized, realistic method. Higher severity scores indicate that the vulnerability should be prioritized. There are four severity categories… 

  • Low: Score from 0.0 – 3.9 
  • Moderate: Score from 4.0 – 6.9 
  • Important: Score from 7.0 – 8.9 
  • Critical: Score from 9.0 – 10.0  

As a vCenter Server administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment. 

Vulnerabilities can be viewed in Asset View or Vulnerability View:

  • Asset View displays workloads covered by Carbon Black Workload and allows you to look at all vulnerabilities affecting the workload of interest. 
  • Vulnerability View displays all vulnerabilities based on type (Windows OS, Windows App, etc.).

Carbon Black Cloud looks into vulnerabilities related to:

  • Operating System (OS) of the virtual machine.
    • Windows OS: Displays OS-level vulnerabilities for Windows VMs. The system looks for OS details and the security patches applied on each VM. When the security patch associated with the vulnerability is not applied, the VM is flagged as vulnerable.
    • Linux OS: Displays OS-level vulnerabilities for Linux VMs. The system looks for OS details with the list of all installed packages. The system determines the vulnerable packages installed on the VM and reports the CVEs against those packages.
  • Applications are installed on the virtual machine.
    • Windows Apps: Displays application-level vulnerabilities for the Windows VMs.
    • Linux Apps: Displays application-level vulnerabilities for the Linux VMs.

A deeper dive into vulnerabilities and using the vulnerability tab will be covered in Section 4 of this lab.

Inventory Tab

The Inventory page displays workloads for which you have enabled and not enabled Carbon Black Workload. You can manage workloads from this page. 

CBWL provides a streamlined agent deployment process. The Carbon Black agent installer is provided as part of the VMware Tools package. Deployment to workloads is simplified to a ‘click to enable’ process. Simply select the workload for which you would like to enable CBWL and click ‘Enable’. Initial assessment begins within 24 hours of enabling, and then occurs daily, automatically from that point forward.  

Sensor updates can be pushed by selecting workload(s) and clicking the Update button. Updates can be done individually or on multiple/all workloads.

3.3 How Carbon Black Measures Risk

Carbon Black Cloud partners with Kenna Security to leverage the largest database of vulnerability, exploit, and event threat data in the industry. This data is distilled into three main measures of risk:

  • Active Internet Breach: Presence of near-real-time exploitation.
  • Malware Exploitable: Availability of an exploit module in a weaponized exploit kit.
  • Easily Exploitable: Availability of a recorded exploit.

There are metrics defined for Common Vulnerability Scoring System (CVSS). A few of the metrics are about the attack method itself, whereas the others depend on how the application assesses impact - the direct consequence of a successful exploit. To learn more about CVSS, visit https://www.first.org/cvss/specification-document.

Risk Score

Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk). The risk score range and severity are defined as follows.

Score Range










To learn more about how the risk is calculated, refer to the Kenna Security documentation.

Section 4: Identifying Risks with vCenter Carbon Black Workload Plug-in

VMware Carbon Black Workload consolidates multiple datacenter security capabilities with an easy deployment experience on vSphere and a single lightweight sensor for your workload environment. VMware Tools includes the Carbon Black agent installer, facilitating the installation process and eliminating management by providing native security capabilities as a service that IT infrastructure owners can provide. 

Workload protection has already been deployed on numerous workloads within the TestDrive vSphere environment prior to this guide being written. This allows us to discover and view any risks that have been identified by our vulnerability assessment capability. With this capability there is no scanning involved because we are already collecting the data, we are leveraging the same single data stream to query and populate this data within the vCenter management plane. For this portion of the lab experience, we will be diving into vulnerabilities and information available to you directly in vSphere.

4.1 Looking into a Critical Vulnerability

While logged into vCenter, click on the Menu button at the top left of vCenter and then navigate to and click on the Carbon Black plug-in. For more information on accessing and navigating the plug-in see section 3.2.

Navigate to the Vulnerabilities page within the plugin. The Vulnerabilities page displays information on vulnerabilities affecting the environment with intuitive filtering capabilities to give administrators a prioritized, realistic method to look at risk and threat.

On the top of the page severity level filters can be used to view vulnerabilities in a prioritized manner. For this lab, we will focus on Critical vulnerabilities, with a severity score of 9.0 to 10.0. For more information on how risk is scored see Section 3.3.

  • If not currently selected, click the Critical filter at the top of the page to view only critical vulnerabilities

We should now see only Critical High-Risk score CVE’s, these are CVE’s that are exploitable within this environment. This means an attacker (external or internal) could gain access to a workload by leveraging one of these CVE’s in an attack if discovered.

  • Scroll down to view vulnerabilities
  • Click the Vulnerability View to view all vulnerabilities based on the type

Vulnerability types include Windows OS, Linux OS, Windows App, and Linux App. Select a vulnerability type of interest. Due to the nature of this lab, a specific vulnerability will not be selected as vulnerabilities will change across the environment.

A vulnerability will display:

  • Severity: Criticality of a vulnerability 
  • Risk Score: Score denoting severity; ranges from 0.0 (no risk) to 10.0 (maximum risk) 
  • OS Name: Name of OS affected by the vulnerability 
  • OS Version: Version of OS affected by the vulnerability 
  • CVE ID: Identifier of the specific vulnerability 
  • Fixed by: If applicable, links to KB article denoting update/patch that fixes a vulnerability 
  • Vendor (if App vulnerability): Name of the vendor of application w/vulnerability 
  • Product Name (if App vulnerability): Name of application w/vulnerability for reference 
  • Version (if App vulnerability): Version of App vulnerability is fixed by 
  • Assets Affected: Number of workloads in your environment that are affected by this vulnerability
  • Click the arrow next to a vulnerability to expand additional information

Expanding a vulnerability will show:

  • A plaintext description of the vulnerability
  • Link to the National Vulnerability Database
  • Asset(s) affected by the vulnerability
  • Risk details (Kenna variables affecting severity score)
  • CVSS score information
  • CVSS vector details
  • Click the link to the National Vulnerability Database

Carbon Black Workload directly links to the National Vulnerability Database (NVD) page for the selected vulnerability. This allows for an easy workflow to get more background on the vulnerability and how to resolve it directly in your vSphere environment. 

  • Review information on NVD
  • Click the vSphere tab to return to the CBWL plug-in
  • Click the plus to expand Affected Assets
  • Click one of the Affected Assets

When viewing a workload, on the Monitor tab, a Carbon Black Vulnerabilities page is available. You can view all vulnerabilities affecting a particular workload from this page. 

Once the administrator has patched or resolved the vulnerability, the reassess function on top right will help to view the asset health in real-time.

We have now completed a workflow looking into a critical vulnerability directly in vSphere. CWP provides built-in vulnerability assessment capabilities in your vSphere console. 

Section 5: VMware Carbon Black and Audit & Remediation

The VMware Carbon Black Workload solution can be accessed through both the Carbon Black Cloud Console and the Carbon Black vCenter plugin.

5.1 Accessing VMware Carbon Black Workload

The Carbon Black Cloud console is web-based with one lightweight agent deployed to endpoints.

The console is accessed through a supported web browser: 

  • Windows: Chrome, Edge, Firefox 
  • macOS: Chrome, Firefox, Safari 

Login to Carbon Black Cloud: 

  • URL: https://defense-prod05.conferdeploy.net/
  • User: (listed in text file on the Carbon Black Cloud desktop)  
  • Password: (listed in text file on the Carbon Black Cloud desktop)
  • Click the "Carbon Black Cloud" Chrome Link, a webbrowser with the Carbon Black URL will automatically populate
  • Login with credentials listed in text file on the desktop

If you are an existing VMware Carbon Black Cloud customer using the NGAV, EDR, container security, or other solution, the Carbon Black Workload solution lives in the same cloud-based console. Workload vulnerability information lives in the Vulnerabilities tab.

  • On the left side navigation menu, click Harden to expose menu options
  • Click Vulnerabilities to view vulnerability information

Carbon Black Workload gives teams a shared truth of risk, minimizing friction between teams such as infrastructure and security. Teams have the same visibility and understanding of vulnerabilities whether they are viewing information in the Carbon Black Cloud or within the vCenter plug-in.

Click on Show graphs on the top right to expand the vulnerabilities dashboard.

Vulnerabilities can be explored within the Carbon Black Cloud in the same method used in Section 4.

For a more guided experience on using the Carbon Black Cloud for vulnerabilities see Module 4 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212

5.2 Audit and Remediation

To gather stateful information which is correlated to vulnerabilities, another part of the Carbon Black Solution suite is leveraged called Audit and Remediation. Audit and Remediation allows administrators to ask questions on the environment across hardware, software, and network variables at scale. Carbon Black Workload customers have access to the full Audit and Remediation solution beyond its use in vulnerability assessment. This portion of the experience will walk through using Audit and Remediation.

If you are not currently logged in to the Carbon Black Cloud console see section 5.1 for how to log in.

  • On the left-hand navigation menu click Live Query to expand the menu
  • Click New Query menu option

Numerous queries are pre-built and come OOTB with Audit and Remediation - called recommended queries. Pre-built queries full under IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance use cases. Recommended queries can be filtered by selecting a use case, filtering by applicable OS, or searching for keyword(s).

Queries can be run on a one-off basis or scheduled to run automatically (daily, weekly, monthly, etc.). Query results can be viewed in the console or exported.

  • Click Vulnerability Management to review queries falling under this use case.

Carbon Blak Workload and Audit and Remediation give administrators a greater understanding of what they are securing. We will review a recommended query to better understand the information Audit and Remediation can provide.

  • Scroll down to the Installed Windows Applications query
  • Click the 'plus' to expand and view SQL

The Installed Windows Applications query returns information about applications installed by msiexec.exe. By expanding a query you can view the SQL code used in the query. Audit and Remediation leverages osquery and standard SQL syntax. 

osquery schema can be viewed on the following page: https://osquery.io/schema/4.5.0

Beyond recommended queries, administrators can create their own, custom queries to suit any number of use cases. Queries are built using standard SQL syntax and the previously linked osquery schema.

We will create a custom query that looks at the value for the 'LimitBlankPasswordUse' registry key. The value for this registry key can be 1 or 0; 1 being recommend as this prevents netconns from accessing endpoint with a blank password. An attacker could change the registry key to gain access to an environment.

This query comes from the Carbon Black Query ExchangeThe query exchange is an open forum for Carbon Black customers to share queries they've created - or leverage queries others have created. The Query Exchange is linked on the top right of the page. Note that only Carbon Black customers can access the Query Exchange.

Queries can be run environment-wide or on a specific endpoint(s) or policy group. Let's run this query on a specific workload.

  • Click 'Endpoints' hyperlink to expose endpoint selection
  • Type in 'cb-win-10' and select the workload
  • In the 'SQL' textbox copy and paste the following query
WHEN 1 THEN "Blank Password Auth via Network Not Possible"
WHEN 0 THEN "Blank Password Auth via Network Possible"
END "LimitBlankPasswordUse"
FROM registry WHERE PATH="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa";
Click to copy
  • In the 'Query Name' text box enter 'YOUR NAME - TD'
  • Click 'Run' to run your newly created query

Query results can be viewed in the console or exported.

  • Click 'Query Results' on the left-hand menu under the parent 'Live Query'
  • Select your query to view results by clicking on the name hyperlink
  • You can refresh the page in a couple of seconds to see the query results after the sensor has collected all information
Previous Article VMware Carbon Black Cloud Malware Lab
Next Article VMware Carbon Black App Control