Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Linux sensor health status 'Driver Failure' after upgrading from 6.1.8

EDR: Linux sensor health status 'Driver Failure' after upgrading from 6.1.8

Environment

  • EDR (formerly CB Response) Sensor Previous Version: 6.1.8
  • EDR Sensor Upgrade Version: 6.1.9 - 6.1.10
  • EDR Server: All Versions
  • RHEL: All Supported Versions

Symptoms

  • /var/log/messages shows a segfault during upgrade
cbdaemon[1337]: segfault at 0 ip  sp error 4 in libc-2.17.so[]
  • Sensor logs repeats the following messages
W driver-manager.cpp:1247] Warning -6 unconnected count: 80 kernel not ready yet
E driver-manager.cpp:122] CB_DRIVER_REQUEST_APPLY_FILTER failed: -1
  • `lsmod | grep cbsensor` shows the cbsensor module listed with a status of 0
  • `modprobe` does not show cbsensor loaded
  •  No cbsensor.ko exists under /lib/modules/$(uname -r)/kernel/lib
  • install.log shows
Stopping kernel module 
ERROR: Removing 'cbsensor': Device or resource busy 
Deleting kernel modules from disk

 

Cause

The sensor module cannot unload

Resolution

A reboot of the endpoint must be done to reload the modules in the right state

Additional Notes

  • There are no steps to manually load and unload the sensor without restarting the endpoint when hung in this state
  • This issue happens when another service hooks into the cbsensor module and then unhooks out of order. As a failsafe to prevent kernel panics, the sensor does not fully shut down during upgrade. This has been observed with other AV services including Cylance, TripWire, and McAfee.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎03-08-2019
Views:
1188
Contributors