Environment

• Carbon Black Cloud Linux Sensor:  2.12.X and 2.13.X versions
• Linux:  RHEL 7, Centos 7, Oracle 7
• Run background scan checkbox enabled under Policies>Sensor page for policies with linux sensors

Symptoms

• Sensor in the console show grayed-out/italicized policy, but with recent sensor checkin time
• Sensor will not accept requests from console, such as upgrade, bypass, and Live Response requests
• Sensor fails upgrade and console reports “Sensor unresponsive” in Sensor Update Status

Cause

• Behavior is caused by a product defect:  PSCLNX-10515
• This issue can occur on any 2.12.X or 2.13.X Linux sensor with an assigned policy that has "Run background scan" enabled under Policies>Sensor
• Defect causes a deadlock to occur within the sensor, which prevents the sensor from actioning hints from the backend
• Our Engineering team is still evaluating all situations/conditions when this can occur

Resolution

• A fix for PSCLNX-10515 has been included in the 2.14 Linux sensor release
• Disable "Run background scan" for 2.12 and 2.13 sensors to prevent this behavior
• Individual sensors that have encountered this issue can be addressed by endpoint or sensor restart
• For sensors that have failed to upgrade, the upgrade job in the console needs to be stopped.  A new upgrade job needs to be created after performing a sensor restart.  It can take up to 4 hours for the console to completely stop the upgrade job

Additional Notes

• 2.11 and earlier Linux sensors will not encounter this issue, as they do not support local scanner
• In situations where the deadlock has occurred on the sensor side, but no recent policy change has been made, then visually the sensor won’t indicate this in the console

Related Content