Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How To Collect Sensor Logs Locally (Mac)

Carbon Black Cloud: How To Collect Sensor Logs Locally (Mac)

Environment

  • Carbon Black Cloud Sensor: All Versions
    • Audit & Remediation (was CB Live Ops)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Apple macOS: All Supported Versions

Objective

Collect Sensor logs locally from an Apple macOS device

Resolution

3.5.x.x Sensor and Higher

  1. Launch preferred terminal emulator
  2. Run log collection command to output to existing directory
    sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture <Uninstall_Code> <Destination_Directory>
  3. Collect logs from <Destination_Directory>
  4. Upload the file to CB Vault or upload link provided by Support


3.1.x.x - 3.4.x.x Sensor

  1. Launch preferred terminal emulator
  2. Run log collection command to output to existing directory
    sudo /Applications/Confer.app/uninstall -l <UNINSTALL_CODE> -d <Destination_Directory>
  3. Collect logs from <Destination_Directory>
  4. Upload the file to CB Vault or upload link provided by Support


3.0.x.x Sensor and Lower

  • via Sensor Bypass
  1. Launch preferred terminal emulator
  2. Enable bypass
    sudo /Applications/Confer.app/uninstall -b  <UNINSTALL_CODE>
  3. Run the following command
    tar czf ~/Confer-copy.tgz /Applications/Confer.app
     
  4. Collect the resulting file
  5. Rename the file to include the name of the device
    {DeviceName}_Confer-copy.tgz
  6. Disable bypass
    sudo /Applications/Confer.app/uninstall -n  <UNINSTALL_CODE>
  7. Upload the file to CB Vault or upload link provided by Support
  • Via Safe Mode
  1. Log onto the desired device (either directly or via RDP)
  2. Boot the machine into Safe Mode
  3. Launch Terminal
  4. Run the following command
    tar czf ~/Confer-copy.tgz /Applications/Confer.app
     
  5. Collect the resulting file
  6. Rename the file to include the name of the device
    {DeviceName}_Confer-copy.tgz
  7. Upload the file to CB Vault or upload link provided by Support

Additional Notes

  • Sensor services do not need to be running in order to gather this data
  • The only requirement for the 3.1.x.x and higher options is that the directory exists prior to running the command

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-25-2018
Views:
6829