Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb ThreatHunter: How to Troubleshoot UBS Functionality

Cb ThreatHunter: How to Troubleshoot UBS Functionality

Environment

  • Carbon Black ThreatHunter PSC Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Objective

How to Troubleshoot UBS Functionality

Resolution

  1. You will need to access the RepCLI utility. Cb Defense: How to Access RepCLI Utility
  2. Show stream of Kernel Requests of detection of execution of binary, to be evaluated for UBS Query
    repcli streamubs -queries -requests
    1. Show stream of backend responses to issued UBS queries from sensor
      repcli streamubs -queries -responses
      1. Force queued UBS queries to send immediately. 
        • View pending UBS Queries
        repcli cloud UbsQuery -showpending
        • Force the pending UBS Queries
        repcli cloud UbsQuery -force
      2. Confirm if you have a binary file
        repcli cloud UbsQuery -file <file_path>
        repcli cloud UbsQuery -sha256 <sha256>
        1. Show upload requests from the Sensor (if UBS did not have the file, sensor will start upload)
          repcli streamubs -uploads -requests
          1. Show the zip path of a file that was uploaded. A json file will be shown if the upload attempts. The field "sensor_status" will be 0 if the upload worked.
            repscli streamubs -uploads -responses
            1. In the confer.log, search for UbsUploadManager for log entries relate to binary upload operations

            Additional Notes

            Like event uploads, UBS queries execute asynchronously so they are queued until a timer period elapses

            Was this article helpful? Yes No
            No ratings
            Article Information
            Author:
            Creation Date:
            ‎12-11-2018
            Views:
            438
            Contributors