Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Collect Diagnostic Logs for Sensor Communication issues (Windows)

EDR: How to Collect Diagnostic Logs for Sensor Communication issues (Windows)

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Objective

How to Collect Diagnostics for Sensor Connection and Communication Issues:
  • Sensor fails to register
  • Sensor does not show in the console
  • Sensor no longer connects

Resolution

  1. Download and install wireshark to capture a trace on the affected machine. https://www.wireshark.org
  2. Start a wireshark trace
    • Select the Interface the connection should be using on the welcome page
    • If sensor port has been modified Go to Edit > Preferences > Protocols > HTTP and add the SSL/TLS port (comma delimited)
    • Do not add any filters
    • Select the Shark Fin at the top left to begin the capture
  3. Open CMD as admin and run the following command a few times to force a checkin attempt
    sc control carbonblack 200
  4. Stop the Wireshark trace with red box on the top left and save as <hostname>.pcapng
  5. Collect sensor diagnostics
  6. Send server diagnostics, for clustered environments please send master and minions. Run this command via terminal/ssh. (Support will collect this for Cloud Customers)
    /usr/share/cb/cbdiag --post
  7. Upload the Wireshark trace and Sensor diagnostics to CBVault
  8. Provide the following information to the case and let the support engineer know the logs have been uploaded:
    1) Is this a newly installed sensor?
    2) Is the endpoint up to date on the latest Windows Updates?
    3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
    4) What is the IP address of the Sensor and Server?

Additional Notes


Related Content


Labels (2)
Tags (3)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
3700
Contributors