Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Enable RepCLI Authentication on Existing Sensors

Carbon Black Cloud: How to Enable RepCLI Authentication on Existing Sensors

Environment

  • Carbon Black Cloud (Formerly CB Defense) Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

  • Enable RepCLI Authentication on Sensors that are already deployed
  • RepCLI authentication can also be enabled at the time of install with the CLI_USERS option

Resolution

  1. Enable bypass mode on the sensor from the Carbon Black Cloud Console
  2. Open the cfg.ini file with Notepad (Notepad++.exe with Admin privilege is recommended)
    • Location of cfg.ini file can be found here
  3. Add the following line (replace <DesiredSID> with actual AD Group or User SID) 
    • Warning: Authenticated users will be able to run any repcli command on the device, please ensure SID only applies to a specific user or group trusted to execute repcli commands
    • Note: Only one SID can be specified
    • AuthenticatedCLIUsers=<DesiredSID>
  4. Save changes to cfg.ini with "Save As" option; maintain the same file name and select a destination outside of the cfg.ini directory
  5. Move the old cfg.ini file out of it's file path and keep as a backup
  6. Move the new cfg.ini file with the SID entry back into the specified file path
  7. Run the following repcli command
    "c:\program files\confer\repcli" updateconfig
  8. Run the following RepCLI command to disable Bypass
    "c:\program files\confer\repcli" bypass 0
  9. If the "repcli bypass" command is successful, then this confirms that SID Authentication is now enabled

Additional Notes

Additional Troubleshooting:
  • If the "repcli bypass 0" command does not initially work, repeat step 7
  • Open the cfg.ini file to ensure that the "AuthenticatedCLIUsers" value was saved
  • In some instances restarting the Sensor services may be required in order for the Sensor to reload the cfg.ini file
  • Due to protection settings, it may not be possible to stop the sensor services without rebooting the machine
  • Sometimes a reboot may be required to force the Sensor to reload the cfg.ini file
  • Closing and opening the command prompt as administrator may be required in step 7

Related Content


Was this article helpful? Yes No
100% helpful (5/5)
Article Information
Author:
Creation Date:
‎08-25-2020
Views:
36256
Contributors