logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS - CB Standard Background Scan Status

Status: Approved Submitted by on ‎09-16-2021 07:24 AM

Description: This query queries the Apple System Log (ASL) data structure for system events. The query specifically provides the latest CB Standard/Advanced background scan status. The background scan status is getting updated in the "System.log" only once per day.

What The Data Shows: Date & Time of latest background scan status update, device name, background scan status information (in progress, complete, disabled)

SQL: 

SELECT MAX(datetime(time,"unixepoch","localtime")) AS "Scan Status Update Date & Time", host AS "Hostname",
CASE
WHEN message like "%IN_PROGRESS%" then "IN PROGRESS"
WHEN message like "%COMPLETE%" then "COMPLETE"
WHEN message like "%DISABLED%" then "DISABLED"
END "Background Scan Status"
FROM asl
WHERE message LIKE "BACKGROUND%";

Tested with OSQuery 4.9.0 on MacOS BigSur 11.6.

 

Comment
2 Comments
jnelson
Carbon Black Employee
‎09-20-2021 05:29 PM
‎09-20-2021 05:29 PM
Status changed to: Approved
 
yang_zheng
Carbon Black Employee
‎04-09-2022 07:50 AM
‎04-09-2022 07:50 AM

This Query only works for supported major OS versions for 3.5.3.82 (the release before 3.6.1), but will not work for 3.6.1.10 and newer sensors. More details can be found here:

https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-How-To-Check-Background-Scan-Status-o...

logo