Hi guys Maybe I missing something but carbon black info not

Question

Hi guys Maybe I missing something but carbon black info not work at all return empty table Anyone know about it

theopolis · Answer

< Josh Hartwell> or < Justin Parks> do you mind taking a look at this

ET · Answer

I checked the code a bit and its look like osquery go the wrong registry path ``` Carbon Black registry path const std string kCbRegLoc = SOFTWARE CarbonBlack config queryKey HKEY LOCAL MACHINE + kCbRegLoc results ```

ET · Answer

I have client here and this path doesn t exists

Josh Hartwell · Answer

I can take a peak in a little bit as well W out having looked at the code yet I m suspicious that it s only looking for the reg path of 1 of our products We have 3 that would each have their own hive and likely slightly different paths depending on version as well CB EDR Formerly CB Response CB App Control Formerly CB Protect CB Cloud NGAV Formerly CB Defense

Josh Hartwell · Answer

< ET> Yeah just confirmed that ``` Carbon Black registry path const std string kCbRegLoc = SOFTWARE CarbonBlack config ``` Is the correct location for the Carbon Black EDR product Formerly Carbon Black Response Formerly the original Carbon Black company pre mergers pre acquisitions So it appears the carbon black info table is specific to the Carbon Black EDR Product So likely could do with some naming description updates in order to avoid confusion I m guessing your client has either CB Cloud or CB App Control products and not the CB EDR Product

seph · Answer

To be honest having a CB specific table feels weird I dunno that expanding it makes more sense than removing it

Mike Myers · Answer

Instead of losing the functionality maybe `windows security products` could be `security products` and expanded