Environment
- EDR (Formerly CB Response) Server: 6.x
- EDR (Formerly CB Response) Sensor: 5.2.5 and Higher
Symptoms
- If an EDR LiveResponse session goes into a "timeout" state, it cannot be closed.
- The "session close" command reports that the session is closed, but it never goes away and remains in a timeout state.
Cause
These symptoms are related to several known issues, tracked as:
These issues will be addressed in a future release.
Resolution
- Stop Live Response service:
# service cb-liveresponse stop
- Backup the sessions folder
# mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d)
- Make a new sessions directory
# mkdir /var/cb/data/live-response/sessions
- change ownership of the new directory
# chown cb.cb /var/cb/data/live-response/sessions
- Change permissions of the new directory
# chmod 700 /var/cb/data/live-response/sessions
- Start Live Response services
# service cb-liveresponse start
Optional steps:
- Remove expired session directories for any directories that are older than a couple of days (i.e. likely expired):
# rm -rf /apps/cb/data/live-response/sessions/<session ID>
- Navigate to the CB Response UI
- Click the Go Live tab (global scope) before the sensors check-in
- Run:
session list
- Choose some sessions and close them:
session close <ID>
Additional Notes
- If this session close command fails, it might not be possible to remove the expired sessions due to known issue CB-20632.
Related Content