Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Run FAPREDEP

App Control: How to Run FAPREDEP

Environment

  • Linux: All Supported Versions
  • Linux Agent: All Supported Versions

Objective

How to run the FAPREDEP script as provided by VMware Carbon Black.

Resolution

  1. Download the script here: FAPREDEP
  2. Temporarily stop the Linux Agent process, and unload the module via Terminal:
    lsmod | grep b9k (Take a note of the version number)
    cd /opt/bit9/bin
    ./b9cli --password GlobalCLIPassword
    ./b9cli --tamperprotect 0
    ./b9cli --shutdown
    pgrep b9daemon (Confirm b9daemon is shutdown cleanly)
    rmmod b9k_87816 (Match the b9k version taken from Step 1)
    lsmod | grep b9k (Confirm the module is unloaded)
  3. Run FAPREDEP on Linux device
    sudo ./fapredep.sh
  4. Allow the script to run for the designated 10 minutes.
  5. Collect fapredep.tar.gz from /tmp directory and upload to the Vault for review.
  6. Start the Agent:
    ./b9cli --startup
    

Additional Notes

  • If collecting FAPREDEP logs on multiple devices, please change the filename to HOSTNAME-fapredep.tar.tz
  • If inotifywatch returns Error 127, the file may need to be copied into the relevant SCRIPTDIR for fapredep.

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
1903
Contributors