Environment
- App Control (Formerly CB Protection) Agent: 8.0.0.2562
- Microsoft Windows: All Supported Versions
Symptoms
- Agent service is terminating, typically during initialization.
- Multiple service crash events in windows event logs.
- Initialization or synchronization not completing.
- Console shows multiple "Cb Protection Agent has started" events repeatedly
Cause
There is an issue with Yara file analysis in this version, which leads to read failures not being caught by our exception handler.
Resolution
Warning: Do not apply the Yara Analysis or Yara Classification configurations on any version except 8.0.0.2562
- Upgrade to 8.0.0.2621 (Patch 7) or Higher
- If unable to upgrade, Yara can be disabled (see additional notes for side effects):
- For a single device:
- Login to the effected device
- Open an admin CMD prompt
- Run commands:
cd c:\program files (x86)\bit9\parity agent
dascli password <EnterCliPassword>
dascli setconfig prop use_yara_analysis=0
dascli setconfigprop use_yara_classification=0
dascli configprops filter *yara* -- Confirm configurations are there
- For All devices:
- Log in to your Cb Protection Web Console.
- Navigate to the URL https:// SERVERNAME/agent_config.php
- Add a new configuration with the following settings:
- Property Name: Disable Yara Analysis
Host ID: 0
Value: use_yara_analysis=0
Status: Enabled
- Save and create a second configuration using the following settings:
- Property Name: Disable Yara Classification
- Host ID: 0
- Value: use_yara_classification=0
- Status: Enabled
- Save the configuration.
- If the device is connected and syncing rules, wait for the device to become up to date on its configurations. If the device is disconnected, an uninstall and reinstall of the agent may be required.
Additional Notes
- There are some implications of having Yara analysis disabled as well as switching from the pre-Yara file analysis logic back to Yara-enabled file analysis.
- With Yara analysis disabled, some rules like the "PowerShell executing memory" rule may not work because they rely on Yara classification.
- Yara is also better at identifying installers.
- Please see EP-4543 in the following release notes for reference: Cb Protection v8.0.0 - Release Notes
Related Content