Help

Carbon Black (response) Extension Attribute?

Go to solution
obi-k
Valued Contributor III

Posted on ‎07-31-2019 06:31 AM

Hello!

Anybody using a Carbon Black extension attribute that reports the version/installation? Mind sharing?

Thanks!

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
scoffey
New Contributor

Posted on ‎07-31-2019 07:52 AM

Here is what I use to check for installation and version.

#!/bin/bash

if [ -e /Applications/CarbonBlack ] ; then
    RESULT=$(defaults read /Applications/CarbonBlack/CbDigitalSignatureHelper.xpc/Contents/Info.plist CFBundleShortVersionString)
    echo "<result>$RESULT</result>"
else
    echo "<result>Not Installed</result>"
fi

View solution in original post

0 Kudos
Reply
7 REPLIES 7

Go to solution
scoffey
New Contributor

Posted on ‎07-31-2019 07:52 AM

Here is what I use to check for installation and version.

#!/bin/bash

if [ -e /Applications/CarbonBlack ] ; then
    RESULT=$(defaults read /Applications/CarbonBlack/CbDigitalSignatureHelper.xpc/Contents/Info.plist CFBundleShortVersionString)
    echo "<result>$RESULT</result>"
else
    echo "<result>Not Installed</result>"
fi
0 Kudos
Reply

Go to solution
RMD_IT
New Contributor
In response to scoffey

Posted on ‎05-24-2022 06:31 PM

does this need to be modified at all as different versions of the CB response agent come into production?

0 Kudos
Reply

Go to solution
obi-k
Valued Contributor III

Posted on ‎07-31-2019 08:17 AM

Thank you @scoffey

Reply

Go to solution
obi-k
Valued Contributor III

Posted on ‎11-09-2020 10:47 AM

Do you happen to use a EA for Carbon Black Defense? Any issues with using both Carbon Black Defense and Carbon Black response on a Mac?

0 Kudos
Reply

Go to solution
ekkehard
Contributor

Posted on ‎01-21-2021 10:22 AM 

#!/bin/bash

commandList[0]="/Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService"
commandList[1]="/Applications/CarbonBlack/CbOsxSensorService"

arraySize=${#commandList[@]}
result="Not Installed"

validValueFound=false
index=0

while [ $index -lt $arraySize ] && [ "$validValueFound" = false ]
do
    currentCommand=${commandList[$index]}

    if [ -e "$currentCommand" ]
    then
        result=$("$currentCommand" -v | awk 'NR==1{print $0}')
        validValueFound=true
    else
        echo "currentCommand '$currentCommand' not found"
    fi
    index=$((index+1))
done

echo "<result>$result</result>"
exit 0
Reply

Go to solution
RMD_IT
New Contributor

Posted on ‎05-24-2022 06:38 PM

Excuse my ignorance, I've not worked with ext. attributes before - is this the appropriate way to implement this?

rmd-CB-extattribute.png

0 Kudos
Reply

Go to solution
RMD_IT
New Contributor

Posted on ‎05-24-2022 10:19 PM

fwiw, I used the script above to create an ext. attribute (as shown in screenshot); activated the new Extension Attribute (dubbed "carbon black status") and on a couple of test endpoints executed "sudo jamf recon" to force a checkin.

 

Upon doing so, the JAMF record of both test systems showed "carbon black status: not installed" even though on both endpoints in question the CB app was present and active (v3.4.2.23 on one, and 3.6.2.110 on another).

Appreciate any advise re: why this may not be reporting the correct status of the CB app

Attached screenshot of CB Cloud version from one of the test endpointsCB about screenshot.png

 

 
0 Kudos
Reply