Environment
- Carbon Black Enterprise EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
Objective
How to Troubleshoot UBS Functionality
Resolution
- The RepCLI utility will need to be enabled. Cb Defense: How to Access RepCLI Utility
- Show stream of Kernel Requests of detection of execution of binary, to be evaluated for UBS Query
repcli streamubs -queries -requests
- Show stream of backend responses to issued UBS queries from sensor
repcli streamubs -queries -responses
- Force queued UBS queries to send immediately.
repcli cloud UbsQuery -showpending
- Force the pending UBS Queries
repcli cloud UbsQuery -force
- Confirm if you have a binary file
repcli cloud UbsQuery -file <file_path>
repcli cloud UbsQuery -sha256 <sha256>
- Show upload requests from the Sensor (if UBS did not have the file, sensor will start upload)
repcli streamubs -uploads -requests
- Show the zip path of a file that was uploaded. A json file will be shown if the upload attempts. The field "sensor_status" will be 0 if the upload worked.
repscli streamubs -uploads -responses
- In the confer.log, search for UbsUploadManager for log entries relate to binary upload operations
Additional Notes
Like event uploads, UBS queries execute asynchronously so they are queued until a timer period elapses
