Environment

• Carbon Black Protection: All Versions
• Linux Agent

Objective

This document describes the collection of diagnostics that will help Carbon Black support with investigating a resolution.

• Unexpected Blocks
  
• Unexpected Approvals
• Unexpected Rule Results

Resolution

These commands should be run during a reproduction of the diagnostics capture in order to accurately access the issue

1. Open Terminal and change directory to /opt/bit9/bin
2. Run the following commands
   1. ./b9cli --password <CLI or Global password here>
   2. ./b9cli --resetcounters
   3. ./b9cli --flushlogs
   4. ./b9cli --debuglevel 6
   5. ./b9cli --kerneltrace 4
3. Reproduce the issue during the capture.
4. Capture and stop debug logging
   1. ./b9cli --capture <path to drop>/$HOSTNAME.$(date +%Y-%m-%d).zip
   2. ./b9cli --password <CLI or Global password here>
   3. ./b9cli --debuglevel 0
   4. ./b9cli --kerneltrace 2
5. Collect System Logs
   1. tar cvfz system-logs-'date +F'.tgz /var/log

Upload all collected data to Cb Vault

Once your transfer is complete, please update your Case Notes and we will retrieve the data

Additional Notes

The following is helpful Triage information:

• When did the issue start?
• What changes around the time of the issue starting?
• Is this easily reproducible?
• What AV products are on the endpoint?

Related Content

• Anti-Virus Exclusions for Cb Protection Agent (Mac and Linux)