Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Protection: Linux Agent Diagnostic Capture Locally

Cb Protection: Linux Agent Diagnostic Capture Locally

Environment

  • Carbon Black Protection: All Versions
  • Linux Agent

Objective

This document describes the collection of diagnostics that will help Carbon Black support with investigating a resolution.

  • Unexpected Blocks
  • Unexpected Approvals
  • Unexpected Rule Results

Resolution


These commands should be run during a reproduction of the diagnostics capture in order to accurately access the issue

  1. Open Terminal and change directory to /opt/bit9/bin
  2. Run the following commands
    1. ./b9cli --password <CLI or Global password here>
    2. ./b9cli --resetcounters
    3. ./b9cli --flushlogs
    4. ./b9cli --debuglevel 6
    5. ./b9cli --kerneltrace 4
  3. Reproduce the issue during the capture.
  4. Capture and stop debug logging
    1. ./b9cli --capture <path to drop>/$HOSTNAME.$(date +%Y-%m-%d).zip
    2. ./b9cli --password <CLI or Global password here>
    3. ./b9cli --debuglevel 0
    4. ./b9cli --kerneltrace 2
  5. Collect System Logs
    1. tar cvfz system-logs-'date +F'.tgz /var/log

Upload all collected data to Cb Vault

Once your transfer is complete, please update your Case Notes and we will retrieve the data

Additional Notes

The following is helpful Triage information:

  • When did the issue start?
  • What changes around the time of the issue starting?
  • Is this easily reproducible?
  • What AV products are on the endpoint?

Related Content

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-21-2018
Views:
1586
Contributors