Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Collect Sensor Diagnostics with RepCLI Repro

Carbon Black Cloud: How to Collect Sensor Diagnostics with RepCLI Repro

Environment

  • Carbon Black Cloud Windows Sensor: 3.8 and Higher
  • Microsoft Windows: All Supported Versions

Objective

For 3.8+ sensors, there is a new command built in to RepCLI which is designed to collect a large variety of data for troubleshooting sensor issues. This is a guide to this RepCLI command and its usage.

Resolution

Prerequisites
Steps to Use RepCLI Repro
  1. Log into the desired device (either directly or via RDP) with a user account that matches the User or Group SID configured for RepCLI Authentication OR open Command Prompt and type the following to run cmd as a user configured for RepCLI Authentication 
    >runas /user:<repcli auth domain\repcli auth username> cmd 
    press ENTER 
    >Enter the password for <repcli auth domain\repcli auth username>:
    type password and press ENTER
    
    Example:
    >runas /user:vmware\juser cmd 
    press ENTER 
    >Enter the password for vmware\juser:
    type password and press ENTER
  2. Open a Command line from the Confer Directory 'C:\Program Files\Confer'
  3. Run the following command repcli repro <LocalOutputPath>
    C:\Program Files\Confer>repcli repro C:\<LocalOutputPath>
    
    Example
    repcli repro C:\Windows\temp
NOTE: Any existing psc_sensor.zip in the output directory will be overwritten when repcli repro is started. Make sure that any needed sensor capture that was saved in that location is renamed or moved to a new location prior to command run.
OPTIONAL: Configure the Delay=[1-60] parameter specifies the number of minutes that the sensor will wait for the issue to be reproduced before the post-reproduction log collection and cleanup. Some commands like procmon and WPR will enforce a cap on this value to prevent collected logs from being too large. It is possible to manually stop RepCLI repro logging at any point using CTRL+C regardless of what the delay is set to. If this value is not specified, it defaults to 5 minutes. Example: 
repcli repro C:\Windows\temp Delay=10
  1. If RepCLI Authentication is enabled, RepCLI will display a prompt to begin capturing. Example:  
    C:\Program Files\Confer>repcli repro C:\users\joeuser\desktop
    Delay parameter not set - defaulting to 5 minutes of reproduction time
    
    Restoring sensor's baseline configuration...
    WARNING: Sensor not unlocked - will skip policy operations
    Press enter to begin capturing:
    
  2. Press the Enter key on your keyboard when ready to begin reproducing the issue. 
NOTE: Keyboard input to CMD can sometimes miss key presses. If RepCLI repro does not respond to pressing enter, it can be pressed multiple times with no negative effects until RepCLI repro continues. 
  1. Once the sensor displays a message 'Waiting for X minutes', begin reproducing issue. DO NOT begin reproducing issue until RepCLI repro displays message 'Waiting for X minutes' otherwise data capture will be missed.  
    Enabling sensor...
    Sensor is fully enabled
    Waiting for 5 minute(s) (CTRL+C to stop waiting earlier)
    NOTE: The number of minutes that the sensor will wait for the issue to be reproduced before the post-reproduction log collection and cleanup depends on whether the Delay=[1-60] parameter was used. Refer to Step 2 for details.
  1. Press CTRL+C if the issue has been reproduced before the "Waiting for X minutes" delay period has ended otherwise sensor will automatically collect diagnostic data once the delay period has ended. Example: 
    Capturing...
    Sensor is in bypass mode
    Collecting diagnostic data (this may take a few minutes)...
    ............
    Captured diagnostic data in C:\Windows\Temp\psc_sensor.zip
    
    Finished
    CheckProtectedServiceStatus: Service[CbDefense] Protection[0x00000003]Restarting the sensor to finish restoring service state...
    Starting the sensor...
    Waiting for sensor...
    DebugPortClient::Connect: Failed to connect: Port not found in registry: 2
    No connection yet...
    DebugHandler::CheckConnection: Successfully connected
    Sensor is fully enabled
    
  2. Rename the zip file to match the name of the device.
  3. Upload the file to CB Vault or upload link provided by Support.

Additional Notes

  • Simplified Command Line Instructions 
    ### If logged in user is configured for repcli authentication Skip to STEP 2
    STEP 1: C:\Users\<username>runas /user:<repcli auth domain\repcli auth username> cmd 
    ### press ENTER 
    Enter the password for <repcli auth domain\repcli auth username>:
    ### type password and press ENTER
    
    STEP 2: cd C:\Program Files\Confer
    
    STEP 3: C:\Program Files\Confer>repcli repro C:\<LocalOutputPath>
    Delay parameter not set - defaulting to 5 minutes of reproduction time
    
    Restoring sensor's baseline configuration...
    WARNING: Sensor not unlocked - will skip policy operations
    Press enter to begin capturing:
    
    STEP 4: ### press ENTER when ready to reproduce
    
    STEP 5: ### reproduce issue when following message is observed
    Enabling sensor...
    Sensor is fully enabled
    Waiting for 5 minute(s) (CTRL+C to stop waiting earlier)
    
    STEP 6: ### Press CTRL+C once issue has been reproduced
    STEP 7: Collect C:\<LocalOutputPath>\psc_sensor.zip
  • In Step 6 if repcli repro command exits prematurely (or with errors) and leaves the sensor in a misconfigured state, run the repcli repro restore command to restore the sensor to a normal state by undoing any settings and stopping any running captures that might have been set as part of a previous failed RepCLI repro run. If services are stopped, the restore option will attempt to start them prior to restoring default active sensor state.
C:\Program Files\Confer>repcli repro restore
  • RepCLI repro currently doesn't support any type of capture across a reboot.

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎12-23-2021
Views:
547
Contributors