Environment
- EDR (formerly CB Response) Sensor Previous Version: 6.1.8
- EDR Sensor Upgrade Version: 6.1.9 - 6.1.10
- EDR Server: All Versions
- RHEL: All Supported Versions
Symptoms
- /var/log/messages shows a segfault during upgrade
cbdaemon[1337]: segfault at 0 ip sp error 4 in libc-2.17.so[]
- Sensor logs repeats the following messages
W driver-manager.cpp:1247] Warning -6 unconnected count: 80 kernel not ready yet
E driver-manager.cpp:122] CB_DRIVER_REQUEST_APPLY_FILTER failed: -1
- `lsmod | grep cbsensor` shows the cbsensor module listed with a status of 0
- `modprobe` does not show cbsensor loaded
- No cbsensor.ko exists under /lib/modules/$(uname -r)/kernel/lib
- install.log shows
Stopping kernel module
ERROR: Removing 'cbsensor': Device or resource busy
Deleting kernel modules from disk
Cause
The sensor module cannot unload
Resolution
A reboot of the endpoint must be done to reload the modules in the right state
Additional Notes
- There are no steps to manually load and unload the sensor without restarting the endpoint when hung in this state
- This issue happens when another service hooks into the cbsensor module and then unhooks out of order. As a failsafe to prevent kernel panics, the sensor does not fully shut down during upgrade. This has been observed with other AV services including Cylance, TripWire, and McAfee.
Related Content