Environment

• Carbon Black Cloud Sensor: 3.3.x.x and Higher
• Microsoft Windows: All Supported Versions

Objective

Resolution

1. Log into the machine with a user account that matches the AD User or Group SID configured at the time of sensor install
2. Launch a admin Command Prompt
3. Run Commands:

   cd C:\Program Files\Confer 
   C:\Users\admin_user> cd C:\Program Files\Confer
   C:\Program Files\Confer>

4. Enter the "repcli" command with no options to view the list of available RepCLI command options 

   C:\Program Files\Confer> repcli
   
   RepCLI is a command line debugging tool that interacts with the CbDefense service
   ---------------------------------------------------------------------------------
   addpolicy       <json filename>| Add specified policy to repmgr
   addnav2policy   <json filename>| Add specified Nav2 policy to repmgr
   bypass          1|0| Enables or disables bypass mode
   capture         | Create diagnostic capture
   certfind        <publisher>| Searches for files with specified publisher pattern
   cloud           <request>| Tells sensor to send a cloud request
   counters        | Print diagnostic counters
   debug           1|0| Enabled or disables debug mode
   deletepolicies  | Delete all policies
   deletepolicy    <guid>| Delete policy matching guid
   deletepolicyindexed <index>| Delete policy with guid matching index in the order displayed by "querypolicyguids" (index starts at 0)
   deviceid        | Query sensor device id
   displayevents   -count [limit events displayed to number] -stream [CbEvent{Bin|Json|PrettyJson|PscProtobuf|PscJson|PscPrettyJson}] -norule [GUID of rule to exclude from output] -initiator [filename of process to watch] -target [file|process|registry|modload|network]| Display PSC-R events reported from repmgr. All arguments are non positional and optional, no arguments will display canonical JSON events until keyboard interrupt
   
   fileaccess      <access_level> [full_path]| Sets file-access to specified access level for file(s) being tracked by RepMgr.
   find            <filename|hash>| Searches for <filename> or <hash> in the file cache
   forcebatch      | Forces an event batch to be sent even if event quota has not been met
   getbatchconfig  | Get current configuration for PSCR event batch archiver
   getruleslog     | Display the contents of Nav2Rules.GetLogs()
   kerneltrace     <level> [flags]| Enables kernel logging at specified level
   lastLiveQueryTime [{relativeTimeBeforeNow}{s|m|h|d}|{TimestampInSeconds}]| Get (if no arg) or set last LiveQuery time
   LqIoFiles       1|0| 1- Keep around the LiveQuery InOut Files. 0- (regular functionality) delete the InOut Files
   NotifySvcStable | Notify driver the service is stable
   OnDemandScan    [directory]| Starts a background scan
   process         <pid>| Query process information
   queryrules      | Display all rules
   queryruleguids  | Display GUIDs for all rules
   querypolicyguids | Display GUIDs for all policies
   resetcounters   | Reset diagnostic counters
   setbatchconfig  -ti [time interval max (s)] -as [archive size max (kB)] -tas [total archives size max (kB)] -hu [archiver heap usage max (kB)]| All arguments are non positional and optional, no arguments will reset archiver config to defaults.
   status          | Display Sensor Status
   suppressrules   1|0 [noreload]| Enable/disable rule based event suppression. Will reload rules from datafile4 unless noreload is set
   UpdateAvSignature | Trigger an AV signature update
   UpdateConfig    | Causes RepMgr to read updated values from cfg.ini
   version         | Display product version
   ---------------------------------------------------------------------------------

Additional Notes

• Authentication is not required for all commands 
• Active Directory-based SID authentication provides full access to RepCLI commands

Related Content