Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Collect a ProcDump

Carbon Black Cloud: How to Collect a ProcDump

Environment

  • Carbon Black Cloud: All Supported Versions
  • Microsoft Windows: All Supported Versions

Question

To collect a procdump to aid in troubleshooting performance cases

Answer

  1. Download ProcDump tool via https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
  2. Open admin CMD prompt.
  3. Run command:
    cd c:\program files\confer
    repcli bypass 1
    sc qprotection cbdefense --Result will show either ANTIMALWARE LIGHT or None
    repcli registerProtectedSvcs 0 --This can be skipped if result of previous command is "none"
    repcli unlock <uninstall-code>
    repcli deletepolicy 1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D
    repcli stopCbServices
    sc start cbdefense
    repcli bypass 0
  4. Change directory to where procdump was saved
  5. Use TaskManager to identify the Process ID (PID) for the process causing the CPU spike (Task Manager > More Details > Details tab)
  6. In the Command Prompt, execute the following command: "procdump.exe -ma -s 5 -n 5 [PID]" with the value for the application's PID in the field marked without the square brackets.
  7. This command will capture a user dump sample of the spiking process every 5 seconds 5 times.
    • Please allow the process to remain running for these 25 seconds at least to allow this to complete.
    • The logs will be generated in the same directory as procdump.exe is executed from
  8. Run commands:
    cd c:\program files\confer
    repcli bypass 1
    repcli registerProtectedSvcs 1 -- Unnecessary if was skipped in step 3
    repcli restorepolicy
    repcli stopCbServices
    if using a sensor version prior to 3.6.0.1897, edit cfg.ini and remove "UnregisterProtected=True"
    sc start cbdefense
    repcli bypass 0
  9. Please zip all files and upload them to the CB Vault here - https://community.carbonblack.com/groups/cb-vault
  10. Once the upload completes, please comment on the support case that the data is available for review

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-08-2018
Views:
2625
Contributors