Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How To Check Background Scan Status on Endpoints (Mac)

Carbon Black Cloud: How To Check Background Scan Status on Endpoints (Mac)

Environment

  • Carbon Black Cloud: All supported versions
  • Apple Mac OS: All Supported Versions

Objective

Provide instructions to determine current status of Background Scan on a Mac OS

Resolution

  1. For 3.5.3.82 (the release before 3.6.1) and previous versions:
    1. Connect to the desired device
    2. Open Terminal
    3. Type command: grep BACKGROUND /var/log/system.log
      1. Example output: May 8 13:10:18 cbs-mac-6 CbDefense_Svc[26528]: BACKKGROUND_SCAN: IN_PROGRESS
  2. For 3.6.1 and later versions:
    • Option A: Access the Apple unified log directly to show all messages logged by the sensor regarding the background scan status, for example:
      • log show --predicate 'process == "repmgr" and eventMessage contains "BACKGROUND_SCAN"'
      • repmgr: BACKGROUND_SCAN: DISABLED
        repmgr: BACKGROUND_SCAN: IN_PROGRESS
        repmgr: BACKGROUND_SCAN: COMPLETE
    • Option B: Access the sensor status through RepCLI and searches for the Background Scan output. For example:
      • sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli status | grep Background
        Background Scan: Disabled
        Background Scan: Standard Scan
        Background Scan: Complete
    • Option C: Run the query through LiveResponse, using exec or execfg, for example:
      • From the repcli directory, run:
        • execfg ./repcli "status" | grep Background
      • Or from anywhere, run: 
        • execfg log show --predicate 'process == "repmgr" and eventMessage contains "BACKGROUND_SCAN"'

           

Additional Notes

  • Background scan status will updated in the "System.log" only once per day.
  • Live Query command can only be used to collect Background Scan status for 3.5.3.82 and previous versions for now due to the Apple System Log change from Apple.
  • MDM (Mobile Device Management)could be used to push command to collect Background Scan status for 3.6.1 and newer sensors.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
1534
Contributors