Access official resources from Carbon Black experts
Cb Response 4.x, 5.x, 6.x
This document describes how to collect Cb Response sensor diagnostics when a Blue Screen of Death (BSOD) or a kernel panic occurs on Windows, OS X or Linux.
Check here if one of these solutions fit your issue better:
Follow steps below for a given OS platform to collect sensor diagnostics to diagnose BSOD/kernel panic issues.
Note: If a Cb Protection Agent is installed, you may need to disable the Cb Tamper Protect Updater to gain read access to the Diagnostics folder on the Windows platform.
1. Is this a reproducible scenario and if so, what are the steps to reproduce the BSOD/kernel panic?
a. Was the host performing any special actions when the BSOD/kernel panic occurred? For example, were any backups, or large file transfers being performed?
2. How many systems are affected?
3. If this is affecting multiple systems is there anything in common between them such as OS, sensor version, function (ex. Web Server, Database Server,NFS)?
4. Are there any other security applications/real-time scanners installed?
a. If so, can you verify that sensor exclusions in place? Anti-Virus Exclusions for Cb Response Sensor
b. Is the Cb Protection (bit9) Agent installed, and if so, what version?
c. Is the Cb Defense (confer) Sensor installed, and if so, what version?
Note: By default, a Windows system is configured to only save a mini-dump memory file when a BSOD occurs. This may not be enough to diagnose and resolve the issue. Either a kernel (minimal) or a complete (preferred) memory dump is requested
Warning: Be careful the additional logging does not fill up disk
IMPORTANT: when complete, don't forget to remove verbose logging
1. Is this a reproducible scenario and if so, what are the steps to reproduce the BSOD/kernel panic?
a. Was the host performing any special actions when the BSOD/kernel panic occurred? For example, were any backups, or large file transfers being performed?
2. How many systems are affected?
3. If this is affecting multiple systems is there anything in common between them such as OS, sensor version, function (ex. Web Server, Database Server,NFS)?
4. Are there any other security applications/real-time scanners installed?
a. If so, can you verify that sensor exclusions in place? Anti-Virus Exclusions for Cb Response Sensor
b. Is the Cb Protection (bit9) Agent installed, and if so, what version?
c. Is the Cb Defense (confer) Sensor installed, and if so, what version?
sudo /Applications/CarbonBlack/sensordiag.sh
1. Is this a reproducible scenario and if so, what are the steps to reproduce the BSOD/kernel panic?
a. Was the host performing any special actions when the BSOD/kernel panic occurred? For example, were any backups, or large file transfers being performed?
2. How many systems are affected?
3. If this is affecting multiple systems is there anything in common between them such as OS, sensor version, function (ex. Web Server, Database Server,NFS)?
4. Are there any other security applications/real-time scanners installed?
a. If so, can you verify that sensor exclusions in place? Anti-Virus Exclusions for Cb Response Sensor
b. Is the Cb Protection (bit9) Agent installed, and if so, what version?
c. Is the Cb Defense (confer) Sensor installed, and if so, what version?
Note: Please refer to the Operating System vendor's instructions. For example, Chapter 30 of the Red Hat Deployment Guide has the instructions on installing and configuring the kdump service for RHEL 6
/opt/cbsensor/sensordiag.sh
Note: if the .vmsn file is small (~1.5MB), this means the VM is configured to store the memory in a separate file. If so, please also send the .vmem file
If under 25 MB, files can be attached to your case. Otherwise upload the collected data at Cb Vault