Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Linux sensors showing "grayed out policy" with current check-in time, and will not upgrade or go into bypass from console

Carbon Black Cloud: Linux sensors showing "grayed out policy" with current check-in time, and will not upgrade or go into bypass from console

Environment

  • Carbon Black Cloud Linux Sensor:  2.12.X and 2.13.X versions
  • Linux:  All supported versions
  • Run background scan checkbox enabled under Policies>Sensor page for policies with linux sensors

Symptoms

  • Sensor in the console show grayed-out/italicized policy, but with recent sensor checkin time
  • Sensor will not accept requests from console, such as upgrade, bypass, and Live Response requests.

Cause

  • Behavior is caused by a product defect:  PSCLNX-10515
  • This issue can occur on any 2.12.X or 2.13.X Linux sensor with an assigned policy that has "Run background scan" enabled under Policies>Sensor
  • Defect causes a deadlock to occur within the sensor, which prevents the sensor from actioning hints from the backend
  • Our Engineering team is still evaluating all situations/conditions when this can occur.  

 

Resolution

  1. A fix for PSCLNX-10515 will be included in the future 2.14 Linux sensor release.
  2. Disable "Run background scan" for 2.12 and 2.13 sensors to prevent this behavior
  3. Individual sensors that have encountered this issue can be addressed by endpoint or sensor restart

Additional Notes

  • 2.11 and earlier Linux sensors will not encounter this issue, as they do not support local scanner.
  • In situations where the deadlock has occurred on the sensor side, but no recent policy change has been made, then visually the sensor won’t indicate this in the console.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎10-19-2022
Views:
231
Contributors