Carbon Black Cloud Sensor - How to identify if Quarantine is enabled locally?
search cancel

Carbon Black Cloud Sensor - How to identify if Quarantine is enabled locally?

book

Article ID: 287819

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

What are the different ways to verify the sensor is in quaratine?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Windows Sensor: All Supported Versions

Resolution

With the release of the 4.0 sensor, utilizing the repcli status will contain the status for quarantine. For pre 4.0 sensors you can verify this via HKLM\SYSTEM\CurrentControlSet\services\ctifile has a DWORD value called "Quarantine" set to 1 since when driver enters quarantine it writes out that key so that on next reboot we enforce quarantine.
Powered by Wolken Software