logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Agent Service Crashing After Upgrade or Installation of 8.0.0.2562

App Control: Agent Service Crashing After Upgrade or Installation of 8.0.0.2562

Environment

  • App Control (Formerly CB Protection) Agent: 8.0.0.2562
  • Microsoft Windows: All Supported Versions

Symptoms

  • Agent service is terminating, typically during initialization.
  • Multiple service crash events in windows event logs. 
  • Initialization or synchronization not completing.
  • Console shows multiple "Cb Protection Agent has started" events repeatedly

Cause

There is an issue with Yara file analysis in this version, which leads to read failures not being caught by our exception handler.

Resolution

Warning: Do not apply the Yara Analysis or Yara Classification configurations on any version except 8.0.0.2562
  1. Upgrade to 8.0.0.2621 (Patch 7) or Higher
  2. If unable to upgrade, Yara can be disabled (see additional notes for side effects):
  3. For a single device:
    1. Login to the effected device
    2. Open an admin CMD prompt
    3. Run commands:  
      cd c:\program files (x86)\bit9\parity agent
dascli password <EnterCliPassword>
dascli setconfig prop use_yara_analysis=0
dascli setconfigprop use_yara_classification=0
dascli configprops filter *yara* -- Confirm configurations are there
  4. For All devices:
    1. Log in to your Cb Protection Web Console. 
    2. Navigate to the URL https:// SERVERNAME/agent_config.php
    3. Add a new configuration with the following settings:
      • Property Name: Disable Yara Analysis
        Host ID: 0
        Value: use_yara_analysis=0
        Status: Enabled
    4. Save and create a second configuration using the following settings:
      • Property Name: Disable Yara Classification
      • Host ID: 0
      • Value: use_yara_classification=0
      • Status: Enabled
    5. Save the configuration. 
    6. If the device is connected and syncing rules, wait for the device to become up to date on its configurations. If the device is disconnected, an uninstall and reinstall of the agent may be required.

Additional Notes

  • There are some implications of having Yara analysis disabled as well as switching from the pre-Yara file analysis logic back to Yara-enabled file analysis.
    • With Yara analysis disabled, some rules like the "PowerShell executing memory" rule may not work because they rely on Yara classification.
    • Yara is also better at identifying installers.
  • Please see EP-4543 in the following release notes for reference: Cb Protection v8.0.0 - Release Notes

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎12-14-2018
Views:
682
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.