Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Defense: How to bypass Local Mirror Server temporarily to resolve August 2019 signature update issues (Windows)

CB Defense: How to bypass Local Mirror Server temporarily to resolve August 2019 signature update issues (Windows)

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense Local Mirror Server: Version 2.2 and Lower
    • Microsoft Windows: All Supported Versions
  • CB Defense PSC Sensor: 2.0.x.x and Higher
    • Microsoft Windows: All Supported Versions

Objective

Point Sensors to the CB Signature Update server as an alternative to the solution provided in CB Defense: Local Mirror Update Servers Not Updating Since August 1 (Windows)

Resolution

I. Disable Existing Mirror and Point to Carbon Black

  1. Ensure traffic to the new Signature Update Server URL is allowed through proxies and firewalls without packet inspection (TCP/80 or TCP/443)
    updates2.cdc.carbonblack.io
  2. Disable Mirror Server
    1. Turn off the automated scheduling of do_update.bat (Windows Task Scheduler > Select Task > End and Disable)
    2. Stop IIS Website
      1. Open IIS Manager
      2. Expand Sites
      3. Right-click Site Name > Manage Website > Stop
II. Update all Policies with new Update Server URL
  1. Go to Enforce > Policies > select Policy > Local Scan tab
  2. Set the Update Servers URLs
    http://updates2.cdc.carbonblack.io/update2
  3. Repeat steps 3 and 4 for all necessary policies
III. Update Mirror Server
  1. Download the latest mirror server package for Windows from CB Defense: Local Mirror Server for Signature Updates
  2. Extract the zip file and replace the matching files in the IIS directory with zip file contents
    C:\inetpub\wwwroot\<LocalMirrorFolder>
  3. Turn on the automated scheduling of `do_update.bat` (Windows Task Scheduler > Select Task > Enable and Run)
    If desired, SSL communications between the Local Mirror and CB update servers can be enabled by using `do_update_ssl.bat` instead of `do_update.bat`
  4. Verify that updates occurred in Local Mirror Server directory by inspecting Date modified
    C:\inetpub\wwwroot\<LocalMirrorFolder>\idx\master.idx
  5. Re-enable Local Mirror by starting IIS Website
    1. Open IIS Manager
    2. Expand Sites
    3. Right-click Site Name > Manage Website > Start

IV. Confirm Signature Update for All Affected Endpoints

  1. Go to the Endpoints page in the PSC Console
  2. Search for the desired Device Name
  3. Expand the Device Details
  4. Check 'Scan Engine' field for VDF version; Example: 
    Scan Engine: 4.11.0.307-ave.8.3.54.68:avpack.8.5.0.12:vdf.8.16.21.0:apc.2.10.0.110
  5. Any VDF Version above vdf.8.16.21.0 reflects an endpoint in an updated state
NOTE: In most cases endpoint will need to go through a reboot cycle in order to start successfully receiving updates. To expedite the process sensor can be upgraded or new signature pack deployed as described in CB Defense: Signature Pack Version Has Not Updated Since August 1, 2019 (options B and C).

V. Point Endpoints back to Local Mirror
  1. From previous instructions confirm that local mirror is receiving updates
  2. From previous instructions confirm that all endpoints in policy are updated to a version greater than 8.16.21.0
  3. Go to Enforce > Policies > select Policy > Local Scan tab
  4. Set the Update Servers URLs to the URL for your local Mirror Server
  5. Verify that signatures continue to update on Sensors: CB Defense: How to verify AV Signatures are updating
  6. If signature updates have not resumed 24 hours after applying the solution, please open a support case

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
680
Contributors