Issue
I want to interact with my sensor using control codes.
Environment
VMware Carbon Black EDR (Windows)
Resolution
- At a command line prompt, run this command: sc control carbonblack
- Use one of the following codes:
- 200 – Initiates a connection attempt to the Carbon Black EDR server. In most cases, this is a near-immediate connection attempt. Exceptions are during sensor startup and shutdown, or if any outstanding connection or connection attempts to the server are in progress. For example, if an event log or other data is currently being uploaded to the server, or if an attempt to connect to the server is in progress, the attempt does not occur until after the current operation is complete.
- 201 – Initiates a dump of diagnostic data to the %WINDIR%\CarbonBlack\Diagnostics\\ directory
-
- After you run the sc control carbonblack 201 command, the %WINDIR%\CarbonBlack\Diagnostics\ directory includes SensorComms.log.
-
- 209 – Configures and shuts down the sensor in preparation for a VDI primary image snapshot. The steps are:
-
- Shut down the EDR Windows drivers.
- In the registry, reset the sensor ID to 0.
- Flush all event logs to disk, and then delete them.
- Shut down the rest of the EDR Windows sensor.
-
- 210 – Resets the sensor to a new install state. If an admin clones a running sensor, you can run this command on the cloned machine to re-register without shutting down the services. The steps are:
-
-
- In the registry, reset the sensor ID to 0.
- Notify the comms thread that it must re-register with the server.
- Flush all event logs to disk, and then delete them.
- Restart the event logger. The EDR Windows sensor resumes running
-
-
Comments
0 comments
Please sign in to leave a comment.