Environment

• Carbon Black Cloud Sensor: 3.3.x.x and higher
• Carbon Black Cloud Console: All versions
• Microsoft Windows: All supported versions

Objective

Resolution

1. Initiate a Live Response session from the Console (Endpoints > Go Live)
2. Change directory repcli.exe location or format commands with the full path

   cd C:\Program Files\Confer

3. Preface repcli commands with "execfg"

   execfg repcli status

Additional Notes

• The Live Response session runs on the local machine as Local System
• The Windows Local System SID will need to be authenticated to provide full RepCLI access
• The Windows System SID is S-1-5-18
• This can be confirmed within the LR session

  execfg whoami /user
  
  User Name             SID 
  ===================   ======== 
  nt authority\system   S-1-5-18

• 3.5.x.x and higher Sensors do not require a SID for authenticated RepCLI commands when run via Live Response
  • One caveat for 3.5.x.x - 3.7.0.1253 Sensors is that Bypass mode can be turned on via RepCLI during Live Response but cannot be turned off via RepCLI
  • The above caveat is resolved in 3.7.0.1411 and higher Sensor versions

Related Content

Security identifiers (Windows 10) - Windows security
https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Which-RepCLI-Commands-are-Available-t...
Carbon Black Cloud: How to Enable Authentication for RepCLI Utility During Sensor Install
Carbon Black Cloud: How to Enable RepCLI Authentication on Existing Sensors