Environment

• Carbon Black Cloud Sensor: 3.3 and Higher
• Microsoft Windows: All Supported Versions

Objective

Resolution

1. Log into the machine using an account with administrator-level access or a RepCLI Authenticated user.
2. From Command Prompt, run the following commands.

   cd "C:\Program Files\Confer"
   repcli ondemandscan /Dir=C:\Desired\Path\Here /WaitOnResults

3. Results will be returned in the command line window once the scan is complete, or can be retrieved using the following commands.

   repcli ondemandscan /ScanHistory
   repcli ondemandscan /ScanResults=InsertScanIDValueHere
   

   For a full list of supported command flags and syntax, see On-Demand Scan Using RepCLI.

1. Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI Authentication.
2. From Command Prompt, run the following commands.

   cd "C:\Program Files\Confer"
   repcli ondemandscan [directory path]

3. Progress can be tracked with the "repcli status" command, which includes scan information under the General Info section. Example:

   C:\Program Files\Confer> repcli status
   
   General Info:
           Sensor Version[3.3.0.984]
           Local Scanner Version[4.9.0.264 - ave.8.3.52.154:avpack.8.4.3.26:vdf.8.15.17.116]
          Sensor State[Enabled]
           Details[]
           Kernel File Filter[Connected]
           Background Scan[Expedited Scan]
           Total Files Processed[2025]  Current Directory[C:\Program Files\Common Files\VMware\InstallerCache]

Additional Notes

• Scans cannot be initiated while the Sensor is in Bypass.
• Multiple directory scans cannot be run concurrently.
• The On-Demand Scan will run as an expedited scan, which means the scan will run faster than a normal background scan and may impact performance.
• The scan is a report-only function and will not directly remove known malware. 
• The On-Demand Scan will run on the specified directory or file and will generate file hashes and reputation lookups. This data will be stored in a local database for future file lookups.
• Any on-demand scans launched by RepCLI will be logged in the Windows Application Logs under Event ID 17.
• If no path argument is specified, the Sensor will scan all "fixed" drives, by default.

• On-Demand Scans can be run against removeable media.
• Scans can be made against a single file using the syntax, "/File=C:\Path\To\File.exe".
• Single-file scans can be performed while an ongoing Background Scan or concurrent On-Demand Scan is running.
• By default, any banned hashes detected by an On-Demand Scan will be returned in the scan results as having an "infected reputation", though this behavior can be altered via configprop.

• On-Demand Scan is unable to target removeable media. 
• The scan will only run on the contents of a specified directory or drive- it can not run on individual files.

Related Content