EDR: Command line searches with arguments containing spaces return incorrect results
search cancel

EDR: Command line searches with arguments containing spaces return incorrect results

book

Article ID: 289809

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Searches for commandline arguments that contain spaces return incorrect results that contain part of the query, but slighty different arguments

Environment

  • EDR Server: 7.x

Cause

The commandline is parsed by spaces. When searching queries must be in double-quotes to avoid this parsing. 

Resolution

  • When searching for commandline arguments with spaces, use double-quotes and escape characters. 
    • ex. cmdline:"reg query \"HKLM\\Software\\WOW6432Node\\\""

Additional Information

The escape character (backslash \) is needed for double-quotes and backslashes
Powered by Wolken Software