How to verify AV Signatures are updating in Endpoint Standard.
search cancel

How to verify AV Signatures are updating in Endpoint Standard.

book

Article ID: 286299

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Provide steps to verify Local Scanner Virus Definition files (VDF) are updating on Endpoint Standard Sensor

Environment

  • Carbon Black Cloud (formerly PSC) Console: All Versions
    • Endpoint Standard (formerly CB Defense) sensor: 2.0 and higher
  • Microsoft Windows: All Supported Versions
  • Local Scan and Signature Updates enabled

Resolution

Via Endpoints page

  1. Go to the Endpoints page in the CBC Console
  2. Search for the desired Device Name
  3. Expand the Device Details
  4. Check 'Scan Engine' field for VDF version; Example: 
    Scan Engine: 4.11.0.307-ave.8.3.54.68:avpack.8.5.0.12:vdf.8.16.19.110:apc.2.10.0.110
  5. Check the published date for the VDF version listed: https://broadcomcms-software.wolkenservicedesk.com/external/article?articleNumber=289498

NOTE: If signatures are up to date, the "SIG" column on the Endpoint page will display a green circle for the endpoint.

 

Live Response (LR) with RepCLI enabled

  1. Go to the Endpoints page
  2. Search for the desired Device Name
  3. Click on the Live Response icon ('>_') to initiate LR session
  4. Change directory to the Confer folder
    cd C:\Program Files\Confer
  5. Run command to get current Sensor status
    repcli status
  6. Check 'Local Scanner' line for VDF version; Example: 
    Local Scanner Version[4.11.0.307 - ave.8.3.54.68:avpack.8.5.0.12:vdf.8.16.19.110:apc.2.10.0.110]
  7. Check the published date for the VDF version listed: https://broadcomcms-software.wolkenservicedesk.com/external/article?articleNumber=289498

Locally on endpoint using cmd.exe

  1. Connect to the desired device
  2. Launch cmd.exe
  3. Run the following commands:
In 3.5 an earlier sensor versions:
type "c:\Program Files\Confer\scanner\upd.log" | find "\aevdf.dat" | find "!="
In 3.6 and later sensor versions:
type "C:\ProgramData\CarbonBlack\Logs\upd.log" | find "\aevdf.dat" | find "!="
  1. Copy the highest VDF version (last entry returned); Example:
    Callback: C:\Program Files\Confer\scanner\...\aevdf.dat 8.16.19.108 != 8.16.19.110
  2. Check the published date for the VDF version listed: https://broadcomcms-software.wolkenservicedesk.com/external/article?articleNumber=289498