Skip to main content
Red Canary help

Gathering diagnostics for VMWare Carbon Black EDR (formerly CB Response)

  • Updated .

VMware Carbon Black provides diagnostic tools and scripts for each supported platform. You can easily collect the information most commonly required for troubleshooting.

After gathering the diagnostic file, send it to Red Canary by clicking on your account and choosing  Share a File.

Gathering diagnostics on Windows

To gather diagnostics for sensor versions 6.2.1 and below:

  1. Obtain the diagnostic tool via the official VMware Carbon Black Community, or have it sent to you by creating a Red Canary support case.
  2. Gather diagnostics by extracting the package and executing the binary with administrative privileges.
  3. When prompted, press 0 to begin. It may take up to 10 minutes to complete the process.

Once complete, a new archive will be created in the local folder where you saved the diagnostic tool and will be named for the time of generation, e.g., 2020-09-01_07_23_45.diag.gz.

To gather diagnostics for sensor versions 6.2.2 and above:

Note: .NET 4.5 or higher needs to be installed for this tool to work.

  1. Open a command prompt as administrator.
  2. Change directory to C:\Windows\CarbonBlack
  3. Run the diagnostic tool by running the following command: 
    Sensordiag.exe -type CDE
  4. Collect the output file at C:\Windows\CarbonBlack\diags\<filename>.zip

To gather diagnostics remotely via a Live Response session:

  1. Open a Live Response session with the endpoint.
  2. Put the diagnostic package in the desired remote directory and run the following command: 
    Execfg CbDiag.exe --tar
  3. Use the get command to obtain the resulting diagnostic package.

Gathering diagnostics on Linux

To execute the diagnostic script:

  1. Run the following command in a terminal session as root:

    Sensor version 6.1.x

    opt/cbsensor/sensordiag.sh

    Sensor version 6.2.x

    opt/carbonblack/response/bin/sensordiag.sh
  2. When complete, the diagnostic package will be created in the local working directory named as such: sensordiag_<Hostname>_<SensorVersion>_<TimeStamp>.tgz

Gathering diagnostics on macOS

To gather diagnostics for sensor versions 6.1.9 and below:

  1. Navigate to the Carbon Black directory.

  2. Open Terminal and change to the Carbon Black installation directory: 
    cd /Applications/CarbonBlack/
  3. Execute the diagnostic script. The script requires elevated permissions to gather certain files: 
    sudo ./sensordiag.sh
  4. The diagnostic package will be created in the current working directory, named using the following convention: sensordiag_<Hostname>_<SensorVersion>_<TimeStamp>.zip

To gather diagnostics for sensor versions 6.2.x-6.3.0:

  1. Navigate to the Carbon Black directory.
  2. Open Terminal and run the following command: 
    sudo /Applications/CarbonBlack/sensordiag -type CDE
  3. Optionally, gather logs from a specified date and later:
     
    sudo /Applications/CarbonBlack/sensordiag -type CDE -startdate 2018-06-29

To gather diagnostics for sensor versions 7.0 and above:

Note: Spaces in macOS directory names need to be preceded by a "\".

  1. Navigate to the Carbon Black directory.
  2. Open Terminal and run the following command: 
    sudo /Applications/VMware\ Carbon\ Black\ EDR.app/Contents/Helpers/sensordiag -type CDE
  3. Optionally, gather logs from a specified date and later:
     
    sudo /Applications/VMware\ Carbon\ Black\ EDR.app/Contents/Helpers/sensordiag -type CDE -startdate 2018-06-29

The diagnostic package will be created in the current working directory, named using the following convention: sensordiag_<Hostname>_<SensorVersion>_<TimeStamp>.zip

To gather diagnostics remotely via Live Response:

  1. Open a Live Response session with the endpoint.
  2. Run the command for your sensor version, for example: 
    execfg /Applications/CarbonBlack/sensordiag -type CDE
  3. Use the get command to obtain the resulting diagnostic package.