The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS - CB Standard Background Scan Status

Description: This query queries the Apple System Log (ASL) data structure for system events. The query specifically provides the latest CB Standard/Advanced background scan status. The background scan status is getting updated in the "System.log" only once per day.

What The Data Shows: Date & Time of latest background scan status update, device name, background scan status information (in progress, complete, disabled)

SQL: 

SELECT MAX(datetime(time,"unixepoch","localtime")) AS "Scan Status Update Date & Time", host AS "Hostname",
CASE
WHEN message like "%IN_PROGRESS%" then "IN PROGRESS"
WHEN message like "%COMPLETE%" then "COMPLETE"
WHEN message like "%DISABLED%" then "DISABLED"
END "Background Scan Status"
FROM asl
WHERE message LIKE "BACKGROUND%";

Tested with OSQuery 4.9.0 on MacOS BigSur 11.6.

 

2 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
yang_zheng
Carbon Black Employee

This Query only works for supported major OS versions for 3.5.3.82 (the release before 3.6.1), but will not work for 3.6.1.10 and newer sensors. More details can be found here:

https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-How-To-Check-Background-Scan-Status-o...