Running an On-Demand Scan With RepCLI
search cancel

Running an On-Demand Scan With RepCLI

book

Article ID: 286291

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

How to run an expedited On-Demand Scan on an endpoint with the RepCLI utility.

Environment

  • Carbon Black Cloud Sensor: 3.3 and Higher
  • Microsoft Windows: All Supported Versions

Resolution

For 4.0.0 Sensors and later:

  1. Log into the machine using an account with Sensor administrator-level access (Sid provided during install) or run the unlock command.
  2. From Command Prompt, run the following commands.
    cd "C:\Program Files\Confer"
    repcli ondemandscan /Dir=C:\Desired\Path\Here /WaitOnResults
  3. Results will be returned in the command line window once the scan is complete, or can be retrieved using the following commands.
    repcli ondemandscan /ScanHistory
    repcli ondemandscan /ScanResults=InsertScanIDValueHere
    
    For a full list of supported command flags and syntax, see On-Demand Scan Using RepCLI.

For 3.9.2 Sensors and earlier:

  1. Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI Authentication.
  2. From Command Prompt, run the following commands.
    cd "C:\Program Files\Confer"
    repcli ondemandscan [directory path]
  3. Progress can be tracked with the "repcli status" command, which includes scan information under the General Info section. Example:
    C:\Program Files\Confer> repcli status
    
    General Info:
            Sensor Version[3.3.0.984]
            Local Scanner Version[4.9.0.264 - ave.8.3.52.154:avpack.8.4.3.26:vdf.8.15.17.116]
           Sensor State[Enabled]
            Details[]
            Kernel File Filter[Connected]
            Background Scan[Expedited Scan]
            Total Files Processed[2025]  Current Directory[C:\Program Files\Common Files\VMware\InstallerCache]

Additional Information

  • Scans cannot be initiated while the Sensor is in Bypass.
  • Multiple directory scans cannot be run concurrently.
  • The On-Demand Scan will run as an expedited scan, which means the scan will run faster than a normal background scan and may impact performance.
  • The scan is a report-only function and will not directly remove known malware. 
  • The On-Demand Scan will run on the specified directory or file and will generate file hashes and reputation lookups. This data will be stored in a local database for future file lookups.
  • Any on-demand scans launched by RepCLI will be logged in the Windows Application Logs under Event ID 17.
  • If no path argument is specified, the Sensor will scan all "fixed" drives, by default.
For 4.0 Sensors and later:
  • On-Demand Scans can be run against removeable media.
  • Scans can be made against a single file using the syntax, "/File=C:\Path\To\File.exe".
  • Single-file scans can be performed while an ongoing Background Scan or concurrent On-Demand Scan is running.
  • By default, any banned hashes detected by an On-Demand Scan will be returned in the scan results as having an "infected reputation", though this behavior can be altered via configprop.
For 3.9.2 Sensors and earlier:
  • On-Demand Scan is unable to target removeable media. 
  • The scan will only run on the contents of a specified directory or drive- it can not run on individual files.