Environment

• Carbon Black Cloud: All supported versions
• Apple Mac OS: All Supported Versions

Objective

Resolution

1. For 3.5.3.82 (the release before 3.6.1) and previous versions:
   1. Connect to the desired device
   2. Open Terminal
   3. Type command: grep BACKGROUND /var/log/system.log
      1. Example output: May 8 13:10:18 cbs-mac-6 CbDefense_Svc[26528]: BACKKGROUND_SCAN: IN_PROGRESS
2. For 3.6.1 and later versions:
   • Option A: Access the Apple unified log directly to show all messages logged by the sensor regarding the background scan status, for example:

     • log show --predicate 'process == "repmgr" and eventMessage contains "BACKGROUND_SCAN"'

     • repmgr: BACKGROUND_SCAN: DISABLED
       repmgr: BACKGROUND_SCAN: IN_PROGRESS
       repmgr: BACKGROUND_SCAN: COMPLETE

   • Option B: Access the sensor status through RepCLI and searches for the Background Scan output. For example:

     • sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli status | grep Background

       Background Scan: Disabled
       Background Scan: Standard Scan
       Background Scan: Complete

   • Option C: Run the query through LiveResponse, using exec or execfg, for example:
     • From the repcli directory, run:

       • execfg ./repcli "status" | grep Background

     • Or from anywhere, run: 

       • execfg log show --predicate 'process == "repmgr" and eventMessage contains "BACKGROUND_SCAN"'

         
          

Additional Notes

• Background scan status will updated in the "System.log" only once per day.
• Live Query command can only be used to collect Background Scan status for 3.5.3.82 and previous versions for now due to the Apple System Log change from Apple.
• MDM (Mobile Device Management)could be used to push command to collect Background Scan status for 3.6.1 and newer sensors.

Related Content