Title
#general
e

ET

08/06/2020, 9:20 AM
Hi guys, Maybe I missing something but "carbon_black_info" not work at all (return empty table), Anyone know about it?
theopolis

theopolis

08/06/2020, 2:32 PM
@Josh Hartwell or @Justin Parks do you mind taking a look at this?
e

ET

08/06/2020, 2:40 PM
I checked the code a bit and its look like osquery go the wrong registry path
// Carbon Black registry path
const std::string kCbRegLoc = "SOFTWARE\\CarbonBlack\\config"; 
...
queryKey("HKEY_LOCAL_MACHINE\\" + kCbRegLoc, results);
2:41 PM
I have client here and this path doesn't exists
Josh Hartwell

Josh Hartwell

08/06/2020, 4:01 PM
I can take a peak in a little bit as well. W/out having looked at the code yet, I'm suspicious that it's only looking for the reg path of 1 of our products. We have 3, that would each have their own hive, and likely slightly different paths depending on version as well. CB EDR (Formerly CB Response) CB App Control (Formerly CB Protect) CB Cloud NGAV (Formerly CB Defense)
4:23 PM
@ET Yeah, just confirmed that
// Carbon Black registry path
const std::string kCbRegLoc = "SOFTWARE\\CarbonBlack\\config";
Is the correct location for the Carbon Black EDR product. • Formerly Carbon Black Response • Formerly the original "Carbon Black" company pre-mergers/pre-acquisitions. So it appears the carbon_black_info table is specific to the Carbon Black EDR Product. So likely could do with some naming/description updates in order to avoid confusion. I'm guessing your client has either CB Cloud or CB App Control products, and not the CB EDR Product?
s

seph

08/06/2020, 6:28 PM
To be honest, having a CB specific table feels weird. I dunno that expanding it makes more sense than removing it
Mike Myers

Mike Myers

08/06/2020, 6:59 PM
Instead of losing the functionality maybe
windows_security_products
could be
security_products
and expanded