Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Carbon Black Cloud] Using RepCLI on macOS

[Carbon Black Cloud] Using RepCLI on macOS


Attention:

Support information for each Carbon Black Cloud Sensor is published on VMware Docs as distinct OERs. This UEX page will no longer be updated. Please see:


Environment

Supported sensor versions: 3.5.1+
Supported OS versions: macOS 10.12 and later

Overview

RepCLI is a command line tool that can be used by superusers to locally manage certain sensor functions, such as forcing cloud check-ins and printing diagnostic info.

  • RepCLI is included in macOS sensor versions beginning with 3.5.1
  • RepCLI can be used to change sensor behavior, view sensor status, and perform sensor operations without connecting to the console.
  • The list of available RepCLI commands can be viewed by running RepCLI with no options.
  • Help for a particular command can be obtained by running the Help command and providing the name of that command as an argument.

Usage

The RepCLI binary is installed to at:

/Applications/VMware Carbon Black Cloud/repcli.bundle/Contents/MacOS/repcli

 

  1. Launch a terminal, and navigate to the directory:
    /Applications/VMware Carbon Black Cloud/repcli.bundle/Contents/MacOS/
  2. Run the “repcli” binary as root to view a list of available RepCLI commands, as shown below. Note: the list below is subject to change with future sensor versions.
    bash-3.2$ sudo ./repcli
    Supported Commands:
    cloud: Check in to the Carbon Black Cloud
    counters: Prints kernel extension diagnostic counters
    help: Print information on how to use CLI command(s)
    status: Print the sensor status
    version: Displays current product version
  3. Furthermore, help for a particular command can be printed by running the “help” command with the command name as an argument, like so:
    bash-3.2$ sudo ./repcli help cloud
    Cloud - Send the specified request to the cloud and apply the result.
    Usage: cloud [request_type]

    Supported Request Types:
    Hello
    Metadata Push endpoint metadata to the cloud.
    QueryConfig Request the latest sensor configuration from the cloud.
    QueryRules (Default) Request the latest rule set from the cloud.
    RepConfig Request the latest allow list and ban list from the cloud.
    SensorState Push sensor state to the cloud
    UninstallCode Request latest uninstall code from the cloud
    Zip Request latest zip container configuration from the cloud.

 

Examples

An example of the "cloud hello" command:

bash-3.2$ sudo ./repcli cloud hello
Successfully checked into backend.

An example of the "capture" command:

sudo ./repcli capture <uninstall_code> ~/Desktop
Log zip successful!

Supported Commands

Command

Action

bypass

Enables, disables, and Check bypass mode

capture

Generates and zips sensor logs and data

cloud

Checks in with the Carbon Black Cloud Note: There is a 60 second cooldown period between invocations of this command

counters

Prints kernel extension diagnostic counters

help

Prints information on how to use CLI command(s)

manifest

Use to Request, Reset, Refresh manifest

setsensorkext

Toggles the sensor state from SysExt to Kext

setsensorkextloadoptions

Allows setting kext load options

setsensorsysext

Toggles the sensor agent from Kext to SysExt

status

Prints the sensor status

version

Displays the current product version

startCbServices

Loads the sensor driver and repmgr daemon

 

Audit Logs

A timestamped log of RepCLI invocations can be found at /Library/Logs/RepCLI.log. RepCLI invocations are also logged to the system log (Console).

Related Articles

Article

Changes Needed

Cb Defense: How to Verify Sensor Status With RepCLI 

Output is slightly different. Output format is slightly different.

CB Defense: How to Check Background Scan Status With RepCLI 

Output format is slightly different. Doesn’t include “total files processed”.

Cb Defense: How to Force Sensor to Check Into Console With RepCLI

Smaller subset of request types are available. ActiveDirectory authentication not relevant.


There will be a one minute “cooldown” period applied to these commands when they are run.

CB Defense: How to use RepCLI to Confirm Sensor Policy Updates

Output format is slightly different.

Cb Defense: How to Toggle Sensor Bypass with the RepCLI Utility

Mac RepCLI does not support this yet. In the meantime, this can be done with the uninstall binary (-b and -n options).

CB Defense: How to Update Virus Definition Files With RepCLI

Not applicable to macOS.

Cb Defense: How to Run an On Demand Scan With RepCLI

Not yet supported by Mac.

CB Defense: How to Gather System Info With RepCLI

Not applicable to macOS. This is basically a wrapper for a command in Windows command prompt.


Closest equivalent in macOS might be system_profiler, but there are no plans to make a wrapper for this. In theory, this could be run from LiveResponse anyway.

CB Defense: How to Stop Sensor Services With RepCLI

Not supported by the mac sensor at this time.

CB Defense: How to Enable Sensor Debug Logging for Issue Reproduction with RepCLI

Not supported by the mac sensor.

CB Defense: How to Access RepCLI with Live Response

Basically the same, except Step 1 should cd instead to /Applications/VMware Carbon Black Cloud/repcli.bundle/Contents/MacOS

Labels (1)
Tags (2)
Comments

I believe the actual path to repcli is:

/Applications/VMware Carbon Black Cloud/repcli.bundle/Contents/MacOS

 

Article Information
Author:
Creation Date:
‎12-14-2020
Views:
14620
Contributors