Environment
- Carbon Black Cloud Sensor: 3.3 and Higher
- Microsoft Windows: All Supported Versions
Objective
How to run an expedited On-Demand Scan on an endpoint with the RepCLI utility.
Resolution
For 4.0.0 Sensors and later:
- Log into the machine using an account with administrator-level access or a RepCLI Authenticated user.
- From Command Prompt, run the following commands.
cd "C:\Program Files\Confer"
repcli ondemandscan /Dir=C:\Desired\Path\Here /WaitOnResults
- Results will be returned in the command line window once the scan is complete, or can be retrieved using the following commands.
repcli ondemandscan /ScanHistory
repcli ondemandscan /ScanResults=InsertScanIDValueHere
For a full list of supported command flags and syntax, see On-Demand Scan Using RepCLI.
For 3.9.2 Sensors and earlier:
- Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI Authentication.
- From Command Prompt, run the following commands.
cd "C:\Program Files\Confer"
repcli ondemandscan [directory path]
- Progress can be tracked with the "repcli status" command, which includes scan information under the General Info section. Example:
C:\Program Files\Confer> repcli status
General Info:
Sensor Version[3.3.0.984]
Local Scanner Version[4.9.0.264 - ave.8.3.52.154:avpack.8.4.3.26:vdf.8.15.17.116]
Sensor State[Enabled]
Details[]
Kernel File Filter[Connected]
Background Scan[Expedited Scan]
Total Files Processed[2025] Current Directory[C:\Program Files\Common Files\VMware\InstallerCache]
Additional Notes
- Scans cannot be initiated while the Sensor is in Bypass.
- Multiple directory scans cannot be run concurrently.
- The On-Demand Scan will run as an expedited scan, which means the scan will run faster than a normal background scan and may impact performance.
- The scan is a report-only function and will not directly remove known malware.
- The On-Demand Scan will run on the specified directory or file and will generate file hashes and reputation lookups. This data will be stored in a local database for future file lookups.
- Any on-demand scans launched by RepCLI will be logged in the Windows Application Logs under Event ID 17.
- If no path argument is specified, the Sensor will scan all "fixed" drives, by default.
For 4.0 Sensors and later:
- On-Demand Scans can be run against removeable media.
- Scans can be made against a single file using the syntax, "/File=C:\Path\To\File.exe".
- Single-file scans can be performed while an ongoing Background Scan or concurrent On-Demand Scan is running.
- By default, any banned hashes detected by an On-Demand Scan will be returned in the scan results as having an "infected reputation", though this behavior can be altered via configprop.
For 3.9.2 Sensors and earlier:
- On-Demand Scan is unable to target removeable media.
- The scan will only run on the contents of a specified directory or drive- it can not run on individual files.
Related Content