Access official resources from Carbon Black experts
Advanced Search
IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!
Cb Defense: How to Locally Verify the Defense Sensor for Windows is Running
Environment
Cb Defense Sensor: All Versions
Microsoft Windows: All Supported Versions
Objective
Steps to verify that the Defense Sensor on Windows is actively running from the local machine.
Resolution
For sensor version 2.x to Current:
From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\CbDefense".
Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.
For sensor versions 1 - 1.0.6.196:
From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\Confer Sensor Service".
Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.
Additional Notes
You can also verify the Defense Sensor is running via the check-in time for the device on the endpoints page or by actively looking at a specific devices information page.
This method can also be automated which could be useful for organizations with a large sensor install base.