Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Collect Windows Sensor Diagnostic Logs (6.2.2+)

EDR: How to Collect Windows Sensor Diagnostic Logs (6.2.2+)

Environment

  • EDR Sensors: 6.2.2 and Higher
  • Microsoft Windows: All Supported Versions
  • Microsoft .NET 4.5 and Higher

Objective

How to collect diagnostics using the sensordiags.exe tool

Resolution

  1. Run Command Prompt as Administrator
  2. Change directory to C:\Windows\CarbonBlack
  3. Run the diagnostic tool
    sensordiag.exe --type CDE
  4. Collect the C:\Windows\CarbonBlack\diags\<filename>.zip
  5. Send the diagnostic files to support using CBVault.

Additional Notes

  • Available Switches
    -type XXX        - only mandatory parameter. Must be some combination of C,D, and E
                     --- Example: sensordiag --type CE
    
    -startdate yyyy-mm-dd [hh:mm:ss] - Only collects logs modified after a certain date/time
                     --- Time of day may/ may not be specified along with date
                     --- Example: sensordiag --type CE --startdate 2019-02-04 09:00:00
    
    -enddate yyyy-mm-dd [hh:mm:ss] - Only collects logs modified before a certain date/time
                     --- Time of day may/ may not be specified along with date
                     --- Can be used in conjunction with startdate parameter
                     --- Example: sensordiag --type CE --enddate 2019-02-10
    
    -remember        - Only collects logs modified since the last sensordiags run
                     --- Cannot use startdate and enddate with remember
                     --- Example: sensordiag --type CDE -remember
    
    -output C:\path\to\diag - Set the output directory to something other than the working directory 
    
  • Types
    C: Crash - Returns crash reports for Carbon Black user-mode Service
    
    D: Diagnostics - Returns information about the sensor. Includes the contents of all subfolders of C:\Windows\CarbonBlack, as well as install information and metadata about the sensor drivers' status
    
    E: Environment - Collects system-wide information via WMI queries
  • Each collection will overwrite the last. If multiple diagnostics need to be collected, move the current outside the C:\Windows\CarbonBlack\Diags path.
  • Requires Microsoft .NET 4.5 and Higher
  • If the server has diagnostic collection enabled (under sharing settings), the sensor will automatically send up any logs from C:\Windows\CarbonBlack\diags\. If the upload succeeds, it deletes them locally

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Author:
Creation Date:
‎08-19-2020
Views:
14420
Contributors