Carbon Black Cloud: How to Run a Background Scan in a Non-Persistent VDI Environment
Article ID: 292166
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
While the official recommendation is to disable the Background Scan Policy setting in a Non-Persistent VDI Environment, this document outlines alternative configuration options.
Environment
- Carbon Black Cloud Sensor: 3.3.x.x and Higher
- Microsoft Windows: All Supported Versions
- Supported Non-persistent VDI (See Sensor Install Guide for Supported Methods)
Resolution
- Install Sensor on Primary/Golden image specifying approved Security Identifier (SID) for RepCLI (can be either specific User or Group SID)
Add the following to command-line install script CLI_USERS={Desired_SID} - Log into Primary/Golden image as user account that matches the AD User or Group SID configured at the time of Sensor install
- Launch a Command Prompt
- Initiate on-demand scan using RepCLI
"C:\Program Files\Confer\RepCLI.exe" ondemandscan C:\
- Progress can be tracked via "repcli status" command, which includes scan information under the General Info section
> "C:\Program Files\Confer\RepCLI.exe" status General Info: Sensor Version[3.3.0.984] Local Scanner Version[4.9.0.264 - ave.8.3.52.154:avpack.8.4.3.26:vdf.8.15.17.116] Details[] Kernel File Filter[Connected] Background Scan[Complete] Total Files Processed[2025] Current Directory[None]
Additional Information
- The OnDemandScan will run on the specified directory and files and generate file hashes and reputation lookups; data will be stored in local database for future file lookups
- This local store will help reduce the cost on each cloned machine from having to do hashing, file analysis, and reputation lookups for those files already scanned on the primary image
- The OnDemandScan will run as an expedited scan, which means the scan will run faster than a normal background scan and may impact performance
- Any on-demand scans launched by RepCLI will be logged in the Windows Application Logs under Event ID 17
Feedback
Yes
No
Powered by
