Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Sensor Update Failing Through SCCM

Carbon Black Cloud: Sensor Update Failing Through SCCM

Environment

  • Carbon Black Cloud Sensor:3.6.x - 3.7.0.1253
  • Microsoft Windows: All Supported Versions

Symptoms

  • SCCM Sensor Update Fails
  • Update via Carbon Black Cloud console succeeds
  • Confer.log shows msiexec being blocked:
    SUCCESS PSCRULES: Process:4704:132973514566025764 (c:\windows\system32\msiexec.exe) sha256:0A8797D088023A7F17BB00B22FF7C91036070CCA561BFF5337C472313C0CB4AD Op:REG_DELETE_VALUE TargetType:REGISTRY (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}\EstimatedSize) was:Block by policy:1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D rule:4DAF85DC-04B3-4058-BD15-9AF21080A286 (Tamper protect CbD uninstall/upgrade registry keys and values)
  • Update log shows:
    Could not delete value Comments from key \Software\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}. System error . Verify that you have sufficient access to that key, or contact your support personnel.
  • "c:\program files\confer repcli find msiexec.exe" shows msiexec as unsigned: 
    "Signature Info" - "Not Digitally Signed"

Cause

Known issue that was resolved in 3.7.0.1411

Resolution

.  Workaround:
  1. Update via the Carbon Black Cloud console
or:
  1. Place sensor into bypass Bypass
  2. Update
  3. Remove sensor out of bypass

Additional Notes

This issue is resolved when updating from 3.7.0.1411 to any other higher sensor version

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-07-2022
Views:
107
Contributors