Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Enable Verbose Debug Logging Remotely on Windows Sensor

EDR: Enable Verbose Debug Logging Remotely on Windows Sensor

Environment

  • EDR Sensor: All Versions
  • EDR Console: All Versions
  • Microsoft Windows: All Supported Versions

Objective

  • How to enable verbose user and kernel-mode logging remotely via CB Live Reponse.

Resolution

  1. Back up the registry prior to enabling logging
  2. Remotely enable verbose logging:
    • Establish a CB Live Response session with the endpoint
    • Enter the following two commands within CB Live Response:
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7
reg add HKLM\Software\CarbonBlack\config -v KernelDebugLevel -t REG_DWORD -d 7
  • The registry setting will not take affect until the user-mode sensor service is restarted
execfg cmd.exe /K "sc control carbonblack 203"
  1. Reproduce the issue
  2. Collect logs: 
  1. Disable verbose logging in Live Response
    • reg delete HKLM\Software\CarbonBlack\config /v DebugLevel /f
      reg delete HKLM\Software\CarbonBlack\config /v KernelDebugLevel /f
      execfg cmd.exe /K "sc control carbonblack 203"
  2. Upload the diagnostics to the CB Vault

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎11-21-2018
Views:
2231
Contributors