Carbon Black (response) Extension Attribute?

mvu
Valued Contributor

Hello!

Anybody using a Carbon Black extension attribute that reports the version/installation? Mind sharing?

Thanks!

1 ACCEPTED SOLUTION

scoffey
New Contributor

Here is what I use to check for installation and version.

#!/bin/bash

if [ -e /Applications/CarbonBlack ] ; then
    RESULT=$(defaults read /Applications/CarbonBlack/CbDigitalSignatureHelper.xpc/Contents/Info.plist CFBundleShortVersionString)
    echo "<result>$RESULT</result>"
else
    echo "<result>Not Installed</result>"
fi

View solution in original post

4 REPLIES 4

scoffey
New Contributor

Here is what I use to check for installation and version.

#!/bin/bash

if [ -e /Applications/CarbonBlack ] ; then
    RESULT=$(defaults read /Applications/CarbonBlack/CbDigitalSignatureHelper.xpc/Contents/Info.plist CFBundleShortVersionString)
    echo "<result>$RESULT</result>"
else
    echo "<result>Not Installed</result>"
fi

View solution in original post

mvu
Valued Contributor

Thank you @scoffey

mvu
Valued Contributor

Do you happen to use a EA for Carbon Black Defense? Any issues with using both Carbon Black Defense and Carbon Black response on a Mac?

ekkehard
Contributor
#!/bin/bash

commandList[0]="/Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService"
commandList[1]="/Applications/CarbonBlack/CbOsxSensorService"

arraySize=${#commandList[@]}
result="Not Installed"

validValueFound=false
index=0

while [ $index -lt $arraySize ] && [ "$validValueFound" = false ]
do
    currentCommand=${commandList[$index]}

    if [ -e "$currentCommand" ]
    then
        result=$("$currentCommand" -v | awk 'NR==1{print $0}')
        validValueFound=true
    else
        echo "currentCommand '$currentCommand' not found"
    fi
    index=$((index+1))
done

echo "<result>$result</result>"
exit 0