Environment
- Carbon Black Cloud Windows Sensor: 3.3.x.x and Higher
- Microsoft Windows: All Supported Versions
Objective
Retrieve info from a Device relating to the last On Demand Scan request made (Time & Folder/Directory)
Resolution
On Sensor versions 4.0.0 and later:
- Log into the machine using an account with administrator-level access or a RepCLI Authenticated user.
- From Command Prompt, run the following commands.
repcli ondemandscan /ScanHistory
repcli ondemandscan /ScanResults=InsertScanIDValueHere
On Sensor versions 3.9.2 and earlier:
- Event Viewer logs pertaining to On-Demand Scan can be checked locally or via Live Response using the following PowerShell command.
Get-EventLog -LogName application -Newest 1 -Message "*completed ondemand*" | Format-Table -Wrap -AutoSize
- This command returns the Time, Date & Message info of the last On Demand scan requested from the Windows Application Log. Example:
Index Time EntryType Source InstancelD Message
24410 Aug 11 07:42 Information CbDefense 1073872913 The description for Event ID '1073872913' in Source 'CbDefense' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'CbDefense', 'Carbon Black Cloud Sensor completed OnDemand file scan (C:\TestFolder)'
- Or locally via Application Logs in Windows Event Viewer using the steps below.
- Use CTRL+F and search for 'OnDemand'
- The first result found will be the most recent/last On Demand scan request and will contain the Timestamp & Folder/Directory Info (Example below), Event ID 17 (More than 1 entry shares this Event ID, but if 'OnDemand' is searched for, it will return this Event ID too)
Information: Carbon Black Cloud Sensor completed OnDemand file scan (C:\TestFolder)
Related Content
