Environment
- Carbon Black Cloud (formerly PSC) Console: All Versions
- Endpoint Standard (formerly CB Defense) sensor: 2.0 and higher
- Microsoft Windows: All Supported Versions
- Local Scan and Signature Updates enabled
Objective
Provide steps to verify Local Scanner Virus Definition files (VDF) are updating on Endpoint Standard Sensor
Resolution
Via Endpoints page
- Go to the Endpoints page in the CBC Console
- Search for the desired Device Name
- Expand the Device Details
- Check 'Scan Engine' field for VDF version; Example:
Scan Engine: 4.11.0.307-ave.8.3.54.68:avpack.8.5.0.12:vdf.8.16.19.110:apc.2.10.0.110
- Check the published date for the VDF version listed: https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-How-To-Determine-Latest-VDF-Ve...
NOTE: If signatures are up to date, the "SIG" column on the Endpoint page will display a green circle for the endpoint.
Live Response (LR) with RepCLI enabled
- Go to the Endpoints page
- Search for the desired Device Name
- Click on the Live Response icon ('>_') to initiate LR session
- Change directory to the Confer folder
cd C:\Program Files\Confer
- Run command to get current Sensor status
repcli status
- Check 'Local Scanner' line for VDF version; Example:
Local Scanner Version[4.11.0.307 - ave.8.3.54.68:avpack.8.5.0.12:vdf.8.16.19.110:apc.2.10.0.110]
- Check the published date for the VDF version listed: https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-How-To-Determine-Latest-VDF-Ve...
Locally on endpoint using cmd.exe
- Connect to the desired device
- Launch cmd.exe
- Run the following commands:
In 3.5 an earlier sensor versions:
type "c:\Program Files\Confer\scanner\upd.log" | find "\aevdf.dat" | find "!="
In 3.6 and later sensor versions:
type "C:\ProgramData\CarbonBlack\Logs\upd.log" | find "\aevdf.dat" | find "!="
- Copy the highest VDF version (last entry returned); Example:
Callback: C:\Program Files\Confer\scanner\...\aevdf.dat 8.16.19.108 != 8.16.19.110
- Check the published date for the VDF version listed: https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-How-To-Determine-Latest-VDF-Ve...
Related Content