Environment

• Carbon Black Cloud (Formerly CB Defense) Sensor: 3.3.x.x and Higher
• Microsoft Windows: All Supported Versions

Objective

• Enable RepCLI Authentication on Sensors that are already deployed
• RepCLI authentication can also be enabled at the time of install with the CLI_USERS option

Resolution

1. Enable bypass mode on the sensor from the Carbon Black Cloud Console
2. Open the cfg.ini file with Notepad (Notepad++.exe with Admin privilege is recommended)
   • Location of cfg.ini file can be found here
3. Add the following line (replace <DesiredSID> with actual AD Group or User SID) 
   • Warning: Authenticated users will be able to run any repcli command on the device, please ensure SID only applies to a specific user or group trusted to execute repcli commands
   • Note: Only one SID can be specified

   • AuthenticatedCLIUsers=<DesiredSID>

4. Save changes to cfg.ini with "Save As" option; maintain the same file name and select a destination outside of the cfg.ini directory
5. Move the old cfg.ini file out of it's file path and keep as a backup
6. Move the new cfg.ini file with the SID entry back into the specified file path
7. Run the following repcli command

   "c:\program files\confer\repcli" updateconfig

8. Run the following RepCLI command to disable Bypass

   "c:\program files\confer\repcli" bypass 0

9. If the "repcli bypass" command is successful, then this confirms that SID Authentication is now enabled

Additional Notes

• If the "repcli bypass 0" command does not initially work, repeat step 7
• Open the cfg.ini file to ensure that the "AuthenticatedCLIUsers" value was saved
• In some instances restarting the Sensor services may be required in order for the Sensor to reload the cfg.ini file
• Due to protection settings, it may not be possible to stop the sensor services without rebooting the machine
• Sometimes a reboot may be required to force the Sensor to reload the cfg.ini file
• Closing and opening the command prompt as administrator may be required in step 7

Related Content