Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control Agent: How to capture Mac agent diagnostic locally

App Control Agent: How to capture Mac agent diagnostic locally

Environment

  • App Control Agent: All Supported Versions
  • Mac OS: All Supported Versions

Objective

This document describes the collection of diagnostics that will help Carbon Black support with investigating a resolution.

  • Unexpected Blocks
  • Unexpected Approval
  • Unexpected Rule Results
  • Crash
  • Connectivity Issues

Resolution

Note: OS X security features do not allow these commands to be run from the Application directory. Commands need to be run from a directory you have write permissions to (i.e. your home folder)
 
  1. "/Applications/Bit9/Tools/b9cli [command]"
  2. Run the following commands
./b9cli --password <CLI or Global password here>
./b9cli --resetcounters
./b9cli --flushlogs
./b9cli --debuglevel 6
./b9cli --kerneltrace 4
 
  1. Reproduce the issue during the capture.
  2. Capture and stop debug logging
./b9cli --capture <path to drop>/`hostname`_`date +%Y-%m-%d_%H-%M-%S`.zip
./b9cli --password <CLI or Global password here>
./b9cli --debuglevel 0
./b9cli --kerneltrace 2
 
  1. Please provide a CSV export of the events for the example machine only (filter by source).
    • If Block/Approval specific include the column "Rule Name" and note an example Sha256 hash in the case and screenshot expected rule to attach.
  2. Collect System Logs (Crash  Only)
system_profiler --detaillevel full > sysinfo.txt
tar -cvf library-logs-panicreports.tar /Library/Logs/PanicReports
For 10.6 or above
system_profiler --detaillevel full > sysinfo2.txt
tar -cvf library-logs-diagnosticreports.tar /Library/Logs/DiagnosticReports
 
  1. Upload diagnostics to the Cb Vault
  2. Once your transfer is complete, please update your Case Notes and we will retrieve the data

Additional Notes

The following is helpful Triage information:

  • When did the issue start?
  • What changes around the time of the issue starting?
  • Is this easily reproduced?
  • What AV products are on the endpoint?

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-21-2018
Views:
1528
Contributors