This topic describes how to collect diagnostics for Carbon Black EDR Windows sensors in a sensor group that has Tamper Protection enabled.

Requirements:

  • Carbon Black EDR Windows sensors: 7.2.0 and later
  • Microsoft .NET 4.5 and later

Use Carbon Black Live Response to Collect Windows Sensor Diagnostic Logs with Tamper Protection Enabled

You can use Carbon Black Live Response to collect diagnostics for Carbon Black EDR Windows sensors in a sensor group that has Tamper Protection enabled.

Prerequisites

Requirements:
  • Carbon Black EDR Sensors: 7.2.0 and later
  • Microsoft .NET 4.5 and later

Procedure

  1. Establish a Carbon Black Live Response session and enter the following command. Replace <username> with your username. 
    execfg cmd.exe /c sensordiag -type CDE -output c:\users\<username>\desktop\
  2. Collect the zip file from c:\users\<username>\desktop.

Use the Command Line to Collect Windows Sensor Diagnostic Logs with Tamper Protection Enabled

You can use the command line on an endpoint to collect diagnostics for Carbon Black EDR Windows sensors in a sensor group that has Tamper Protection enabled.

Prerequisites

Requirements:
  • Carbon Black EDR Windows sensors: 7.2.0 and later
  • Microsoft .NET 4.5 and later

Procedure

  1. On the endpoint, open a command prompt window with administrator permissions.
  2. Copy sensordiag.exe to a writable and executable path (replace <username> with your username): 
    copy c:\windows\carbonblack\sensordiag.exe c:\users\<username>\desktop\
  3. Run sensordiag.exe: 
    c:\users\<username>\desktop\sensordiag.exe -type CDE -output c:\users\<username>\desktop\
  4. Collect the zip file from c:\users\<username>\desktop.