https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
e

ET

08/06/2020, 9:20 AM
Hi guys, Maybe I missing something but "*carbon_black_info"* not work at all (return empty table), Anyone know about it?
t

theopolis

08/06/2020, 2:32 PM
@Josh Hartwell or @Justin Parks do you mind taking a look at this?
e

ET

08/06/2020, 2:40 PM
I checked the code a bit and its look like osquery go the wrong registry path
Copy code
// Carbon Black registry path
const std::string kCbRegLoc = "SOFTWARE\\CarbonBlack\\config"; 
...
queryKey("HKEY_LOCAL_MACHINE\\" + kCbRegLoc, results);
I have client here and this path doesn't exists
j

Josh Hartwell

08/06/2020, 4:01 PM
I can take a peak in a little bit as well. W/out having looked at the code yet, I'm suspicious that it's only looking for the reg path of 1 of our products. We have 3, that would each have their own hive, and likely slightly different paths depending on version as well. CB EDR (Formerly CB Response) CB App Control (Formerly CB Protect) CB Cloud NGAV (Formerly CB Defense)
@ET Yeah, just confirmed that
Copy code
// Carbon Black registry path
const std::string kCbRegLoc = "SOFTWARE\\CarbonBlack\\config";
Is the correct location for the Carbon Black EDR product. • Formerly Carbon Black Response • Formerly the original "Carbon Black" company pre-mergers/pre-acquisitions. So it appears the carbon_black_info table is specific to the Carbon Black EDR Product. So likely could do with some naming/description updates in order to avoid confusion. I'm guessing your client has either CB Cloud or CB App Control products, and not the CB EDR Product?
s

seph

08/06/2020, 6:28 PM
To be honest, having a CB specific table feels weird. I dunno that expanding it makes more sense than removing it
🤷‍♂️ 1
m

Mike Myers

08/06/2020, 6:59 PM
Instead of losing the functionality maybe 
windows_security_products
could be 
security_products
and expanded
10 Views
Powered by