Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Duplicate Sensors Due to a Misconfigured VDI

EDR: Duplicate Sensors Due to a Misconfigured VDI

Environment

  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions 
 

Symptoms

Sensor hosts appear multiple times in the UI and sensor_registration table.

Cause

  • Missing configuration for enabling VDI behavior.
  • Sensor deployed to new systems after already registering with the EDR Server on original image.

Resolution

1.  Enable VDI in /etc/cb/cb.conf.   The preferred method is new global method (found in 7.6.x+) 
a) Global method.  To allow the administrator to modify the VDI settings globally via the Console add this to /etc/cb/cb.conf:
VDIAPIEnabled=True

b) The original cb.conf VDI variables were added to the EDR server(s) in /etc/cb/cb.conf.   These are no longer needed if step a (above) is enabled. (Warning: These lines must match exactly with no extra spaces, special characters, and have the right case. Make a backup of cb.conf before making changes. If it's a cluster, please check all the nodes): 

NewRegistrationCallbackModulePath=/usr/share/cb/plugins/default_new_sensor_registration_callback.py
NewRegistrationCallbackClassName=DefaultNewRegistrationCallback
            This uses the default setting is based on the client hostname and DNS name to correlated existing Sensor IDs.  The default plug-in is located in
             /usr/share/cb/plugins/default_new_sensor_registration_callback.py.

2.  Restart Services for changes to take effect: 
Standalone Server:
sudo service cb-enterprise restart

Cluster:
/usr/share/cb/cbcluster stop
/usr/share/cb/cbcluster start

Note:  If the master image or template has a sensorID other than 0, fix the image following the instructions in “Setting up Global VDI Support on Windows” or “Setting up Global VDI Support on OSX” found under Appendix I in the 5.X User Guide or Chapter 6 in the 6.x Integration Guide.

 


    Additional Notes

    • If using a master image to deploy sensors, VDI will help prevent duplicates. With VDI enabled, duplicates are recognized based on hostname and DNS name to correlate to an existing Sensor ID. This can be customized to also recognize attributes such as IP or MAC addresses. 

    Related Content


    Labels (1)
    Tags (2)
    Was this article helpful? Yes No
    No ratings
    Article Information
    Author:
    Creation Date:
    ‎09-09-2020
    Views:
    4494
    Contributors