Environment

• EDR (Formerly CB Response) Server: 6.x 
• EDR (Formerly CB Response) Sensor: 5.2.5 and Higher

Symptoms

• If an EDR LiveResponse session goes into a "timeout" state, it cannot be closed.  
• The "session close" command reports that the session is closed, but it never goes away and remains in a timeout state.

Cause

• CB-12852
• CB-20837
• CB-20632

Resolution

1. Stop Live Response service:

# service cb-liveresponse stop

2. Backup the sessions folder

# mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d)

3. Make a new sessions directory

# mkdir /var/cb/data/live-response/sessions

4. change ownership of the new directory

# chown cb.cb /var/cb/data/live-response/sessions

5. Change permissions of the new directory

# chmod 700 /var/cb/data/live-response/sessions

6. Start Live Response services

# service cb-liveresponse start

1. Remove expired session directories for any directories that are older than a couple of days (i.e. likely expired):

# rm -rf /apps/cb/data/live-response/sessions/<session ID>

2. Navigate to the CB Response UI
3. Click the Go Live tab (global scope) before the sensors check-in
4. Run:

session list

5. Choose some sessions and close them:

session close <ID>

Additional Notes

• If this session close command fails, it might not be possible to remove the expired sessions due to known issue CB-20632. 

Related Content