Check the Manifest Version and Find ManifestDownloadFailure / ContentDownloadFailure Alarms
search cancel

Check the Manifest Version and Find ManifestDownloadFailure / ContentDownloadFailure Alarms

book

Article ID: 291993

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

To check on the current revision of dynamic detection and prevention features (management content manifests) and the last date and time it was updated for a given Sensor.

Environment

  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • macOS: All Supported Versions
  • Linux: All Supported Versions

Resolution

Windows

Checking the Version

  1. Launch an administrative command prompt
  2. Run Command: 
    "C:\Program Files\Confer\RepCLI.exe" status | findstr Manifest
  3. Output will show version/revision in use. Example: 
    EEDR Reporting Revision[108]: Enabled (Manifest)
     Unified Binary Store (UBS) Metadata Reporting Revision[27]: Enabled (Manifest)
     Unified Binary Store (UBS) Upload Revision[31]: Enabled (Manifest)
     Ransomware Detection Revision[6]: Enabled (Manifest)
     Ransomware Prevention Revision[10]: Enabled (Manifest)
     Device Control Reporting Policy Revision[11]: Enabled (Manifest)
     Privilege Escalation Report Revision[4]: Enabled (Manifest)
     Privilege Escalation Prevention Revision[3]: Enabled (Manifest)
     Carbon Black Threat Intelligence Detection Revision[6]: Enabled (Manifest)
     AMSI Threat Intelligence Detection Revision[45]: Enabled (Manifest)
     Credential Theft Detection Revision[16]: Enabled (Manifest)
     Credential Theft Prevention Revision[10]: Enabled (Manifest)
     Carbon Black Threat Intelligence Prevention Revision[6]: Enabled (Manifest)
     AMSI Threat Intelligence Prevention Revision[21]: Enabled (Manifest)
     Disguised Names Detection Revision[15]: Enabled (Manifest)
     IoA rules Revision[3]: Enabled (Manifest)
   Last Manifest Content Update Time[MM/DD/YYYY hh:mm:ss]

Checking for Alarms (manifest download failures)

  • If the same 'repcli status' command output from the above will return 'ManifestDownloadFailure' the Sensor is or was having issues downloading data from the content management service (content.carbonblack.io) 
    ManifestDownloadFailure: <Number> times, MM/DD/YYYY hh:mm:ss
    • If the <Number> in the output does not increase on subsequent checks, the Sensor is not having ongoing problems with downloading content manifests
    • If the <Number> in the output does increase on subsequent checks, the Sensor is having ongoing problems with downloading content manifests and actions should be taken to allow communications to content.carbonblack.io

macOS

Checking the Version

  1. Launch terminal emulator
  2. Check for current ruleset revision 
    sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli status | grep -Ei --color "revision.*manifest"
  3. Output will show versions/revisions in use.Example: 
    EEDR Reporting Revision[<rev#>]: Enabled(Manifest)
Device Control Reporting Policy Revision[<rev#>]: Enabled(Manifest)

Checking for Alarms (manifest download failures)

  1. Launch terminal emulator
  2. Check for alarm in SensorAlarms.log 
    sudo grep -Ein --color "ManifestDownloadFailure" /Library/Application\ Support/com.vmware.carbonblack.cloud/Logs/SensorAlarms.log
  3. Output will show the dates and times of relevant alarms 
    <line#>:MM/DD/YY hh:mm:ss [INFO] ... ManifestDownloadFailure, AddDownloadError: Error[Content download failed]

Linux

Checking the Version

  1. Launch terminal emulator
  2. Check for current ruleset revision 
    sudo grep -Ein --color "tarefreshpolicy.*revision\:" /var/opt/carbonblack/psc/log/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40/threat_hunter_log.txt
  3. Output will show versions/revisions in use. Example: 
    <line>:[YYYY-MM-DD hh:mm:ss.ssssss]... ThMgr : TARefreshPolicy : Linux TH Ruleset Revision: <rev#>
<line>:[YYYY-MM-DD hh:mm:ss.ssssss]... ThMgr : TARefreshPolicy : Linux Defense Ruleset Revision: <rev#>
<line>:[YYYY-MM-DD hh:mm:ss.ssssss]... ThMgr : TARefreshPolicy : Linux HashBan Ruleset Revision: <rev#>
    • Organizations with Endpoint Standard or without Enterprise EDR will see Linux HashBan Ruleset Revision with a value of 0 
      Linux HashBan Ruleset Revision: 0

Checking for Alarms (manifest download failures)

  1. Launch terminal emulator
  2. Check for alarm in log.txt 
    sudo grep -Ein --color "Added [[]ContentDownloadFailure[]] Telemetry event to Telemetry Event Sink." /var/opt/carbonblack/psc/log/log.txt
  3. Output will show the dates and times of relevant alarms 
    <line#>:[YYYY-MM-DD hh:mm:ss.ssssss]... ReMgr : TAProcessEvent : Added [ContentDownloadFailure] Telemetry event to Telemetry Event Sink.
  •  
Powered by Wolken Software