Running an On-Demand Scan With RepCLI
search cancel

Running an On-Demand Scan With RepCLI


Article ID: 286291


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense)


How to run an expedited On-Demand Scan on an endpoint with the RepCLI utility.


  • Carbon Black Cloud Sensor: 3.3 and Higher
  • Microsoft Windows: All Supported Versions


For 4.0.0 Sensors and later:

  1. Log into the machine using an account with Sensor administrator-level access (Sid provided during install) or run the unlock command.
  2. From Command Prompt, run the following commands.
    cd "C:\Program Files\Confer"
    repcli ondemandscan /Dir=C:\Desired\Path\Here /WaitOnResults
  3. Results will be returned in the command line window once the scan is complete, or can be retrieved using the following commands.
    repcli ondemandscan /ScanHistory
    repcli ondemandscan /ScanResults=InsertScanIDValueHere
    For a full list of supported command flags and syntax, see On-Demand Scan Using RepCLI.

For 3.9.2 Sensors and earlier:

  1. Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI Authentication.
  2. From Command Prompt, run the following commands.
    cd "C:\Program Files\Confer"
    repcli ondemandscan [directory path]
  3. Progress can be tracked with the "repcli status" command, which includes scan information under the General Info section. Example:
    C:\Program Files\Confer> repcli status
    General Info:
            Sensor Version[]
            Local Scanner Version[ - ave.]
           Sensor State[Enabled]
            Kernel File Filter[Connected]
            Background Scan[Expedited Scan]
            Total Files Processed[2025]  Current Directory[C:\Program Files\Common Files\VMware\InstallerCache]

Additional Information

  • Scans cannot be initiated while the Sensor is in Bypass.
  • Multiple directory scans cannot be run concurrently.
  • The On-Demand Scan will run as an expedited scan, which means the scan will run faster than a normal background scan and may impact performance.
  • The scan is a report-only function and will not directly remove known malware. 
  • The On-Demand Scan will run on the specified directory or file and will generate file hashes and reputation lookups. This data will be stored in a local database for future file lookups.
  • Any on-demand scans launched by RepCLI will be logged in the Windows Application Logs under Event ID 17.
  • If no path argument is specified, the Sensor will scan all "fixed" drives, by default.
For 4.0 Sensors and later:
  • On-Demand Scans can be run against removeable media.
  • Scans can be made against a single file using the syntax, "/File=C:\Path\To\File.exe".
  • Single-file scans can be performed while an ongoing Background Scan or concurrent On-Demand Scan is running.
  • By default, any banned hashes detected by an On-Demand Scan will be returned in the scan results as having an "infected reputation", though this behavior can be altered via configprop.
For 3.9.2 Sensors and earlier:
  • On-Demand Scan is unable to target removeable media. 
  • The scan will only run on the contents of a specified directory or drive- it can not run on individual files.