How to Collect VMware Carbon Black Endpoint Sensor Logs Using Live Response

Learn instructions to collect VMware Carbon Black Endpoint and Carbon Black Defense logs remotely using the Live Response Feature in the VMware Carbon Black Cloud Console.

Affected Products:

• VMware Carbon Black Endpoint

Affected Versions:

• v3.4 and Later

Affected Operating Systems:

• Windows

VMware Carbon Black Cloud's Live Response feature is a method to collect sensor logs remotely from Microsoft Windows endpoints to provide to support for troubleshooting.

Ensure that the Live Response policy is enabled for the endpoint. The default setting is Disabled.

To collect logs using Live Response, an administrator must first Enable Policy, Run Live Response, and then Download Logs. Click the appropriate action for more information.

Enable Policy

1. In a web browser, go to <REGION>.conferdeploy.net.
   Note: <REGION> = Region of tenant

   • Americas = https://defense-prod05.conferdeploy.net/
   • Europe = https://defense-eu.conferdeploy.net/
   • Asia Pacific = https://defense-prodnrt.conferdeploy.net/
   • Australia and New Zealand = https://defense-prodsyd.conferdeploy.net
2. Sign In to the VMware Carbon Black Cloud.
   
3. In the left menu pane, click Enforce.
   
4. Click Policies.
   
5. Select a policy.
   
6. Click the Sensor tab and verify that Enable Live Response is selected.
   

Run Live Response

Running Live Response differs based on whether v3.6 and Later or v3.4 to 3.5 is running of VMware Carbon Black Cloud Endpoint Sensor. Click the appropriate version for more information.

v3.6 and Later

1. In the left menu pane, click Endpoints.
   
2. In the All Sensors user interface (UI):
   1. Locate the appropriate Device Name.
   2. Click the drop-down box under Actions.
   3. Click Live Response.
   
3. Once Live Response connects, type cd c:\program files\confer and then press Enter.
   
4. Type execfg cmd /c repcli capture "<PATH>" and then press Enter. This runs the RepCLI Utility to capture logging.
   
   Note: <PATH> = The absolute path of the log destination folder
5. Once the capture is complete, a prompt indicates that captured logs are placed in the specified destination folder with a file name of psc_sensor.zip.
   Note: This may take several minutes, depending on the network bandwidth for both the endpoint that logs are being captured on and the device receiving the files.

v3.4 to 3.5

1. In the left menu pane, click Endpoints.
   
2. In the All Esensors user interface (UI):
   1. Locate the appropriate Device Name.
   2. Click the drop-down box under Actions.
   3. Click Live Response.
   
3. Once Live Response connects, type cd c:\program files\confer and then press Enter.
   
4. Type execfg repcli capture and then press Enter. This runs the RepCLI Utility to capture logging.
   
5. Once the capture is complete, a prompt indicates that captured logs are placed in C:\Windows\Temp\cb-temp with a file name of psc_sensor.zip.
   Note: This may take several minutes, depending on the network bandwidth for both the endpoint that logs are being captured on and the device receiving the files.

Download Logs

1. Type cd C:\Windows\Temp\cb-temp and then press Enter.
   Note: If only the confer.log is required, it can be directly collected by browsing to C:\Program Files\Confer, typing get confer.log, and then pressing Enter.
2. Type get psc_sensor.zip and then press Enter.
   
3. The file downloads to your local computer with an alphanumeric filename. Rename the file to add a .zip extension.
   Note:

   • Example alphanumeric filename: 36355d97-18f4-416e-be8f-473bda7c30fb
   • Example renamed filename: SensorCapture.zip

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.