Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Collect Logs for Troubleshooting Disconnected Windows Agent (Locally)

App Control: How to Collect Logs for Troubleshooting Disconnected Windows Agent (Locally)

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

How to collect logs to troubleshoot a disconnected Windows Agent

Resolution

  1. On the disconnected endpoint, open an elevated Command Prompt as Administrator
  2. Run commands and copy the output:
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password <Global CLI Password>
    dascli disconnect
    dascli debuglevel 6
    dascli nettrace 1
    dascli connect
    
    dascli status
    tracert <AppCServerName>
    netstat -ano | findstr "41002" > servernetstatresult.txt
    nslookup <AppCServerName>
    ping <AppCServerName>
    netsh winhttp show proxy
    (for XP/Server 2003 use: proxycfg)
    
    with Powershell:
    Test-NetConnection -ComputerName <AppCServerName> -Port 41002 -InformationLevel "Detailed"
    Test-NetConnection -ComputerName <AppCServerName> -Port 443 -InformationLevel "Detailed"
    
    dascli password <CLI Password>
    dascli debuglevel 0
    dascli nettrace 0
    dascli capture "c:\temp\%ComputerName%.zip"
  3. Provide the following to Carbon Black Support team:
    • Screenshot or text results of the network commands in step 2
    • Zip file from step 2
  4. Files can be uploaded to: https://community.carbonblack.com/groups/cb-vault
  5. Once the upload completes, please comment in your case the data is available for review.

Additional Notes

In the process of troubleshooting a disconnected agent Carbon Black support may request CAPI2 logging, and a Wireshark capture. Providing those upfront can reduce the number of log requests you may receive from the support group. 
  1. Start CAPI2 logging:
  2. Start collecting a Wireshark capture:
  3. If results from netstat -ano | findstr "41002" show 'TIME_WAIT' instead of 'ESTABLISHED', then there is likely an issue with the TLS Protocols and/or Cipher Suites
  4. Optionally if Telnet if available, you can check connectivity with:
    telnet <AppCServerName> 41002

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-20-2018
Views:
6181
Contributors