Cb Defense: How to Locally Verify the Defense Sensor for Windows is Running
book
Article ID: 285610
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Steps to verify that the Defense Sensor on Windows is actively running from the local machine.
Environment
Cb Defense Sensor: All Versions
Microsoft Windows: All Supported Versions
Resolution
For sensor version 2.x to Current:
From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\CbDefense".
Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.
For sensor versions 1 - 1.0.6.196:
From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\Confer Sensor Service".
Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.
Additional Information
You can also verify the Defense Sensor is running via the check-in time for the device on the endpoints page or by actively looking at a specific devices information page.
This method can also be automated which could be useful for organizations with a large sensor install base.