Cb Defense: How to Locally Verify the Defense Sensor for Windows is Running
search cancel

Cb Defense: How to Locally Verify the Defense Sensor for Windows is Running

book

Article ID: 285610

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Steps to verify that the Defense Sensor on Windows is actively running from the local machine.

Environment

  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  • For sensor version 2.x to Current:
    1. From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\CbDefense".
    2. Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
    3. You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.
  • For sensor versions 1 - 1.0.6.196:
    1. From an elevated command prompt, run the following command: reg query "HKLM\System\CurrentControlSet\Services\Confer Sensor Service".
    2. Examine the output and verify the subkey "ServiceRunning" has a value of 0x1.
    3. You should NOT see a value for "Passthru". This would indicate the sensor is in full bypass and not protecting the machine.

Additional Information

  • You can also verify the Defense Sensor is running via the check-in time for the device on the endpoints page or by actively looking at a specific devices information page.
  • This method can also be automated which could be useful for organizations with a large sensor install base.