Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: How to Locally Verify the Defense Sensor for Windows is Running

Cb Defense: How to Locally Verify the Defense Sensor for Windows is Running

Environment

  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Objective

  • Steps to verify that the Defense Sensor on Windows is actively running from the local machine.

Resolution

  • For sensor version 2.x to Current:
    1. From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\CbDefense".
    2. Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
    3. You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.
  • For sensor versions 1 - 1.0.6.196:
    1. From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\Confer Sensor Service".
    2. Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
    3. You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.

Additional Notes

  • You can also verify the Defense Sensor is running via the check-in time for the device on the endpoints page or by actively looking at a specific devices information page.
  • This method can also be automated which could be useful for organizations with a large sensor install base.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎11-20-2018
Views:
1582
Contributors