Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Sensor Update Failing Through SCCM

Carbon Black Cloud: Sensor Update Failing Through SCCM

Environment

  • Carbon Black Cloud Sensor: 3.6.x - 3.7.x
  • Microsoft Windows: All Supported Versions

Symptoms

  • SCCM Sensor Update Fails
  • Update via Carbon Black Cloud console succeeds
  • Confer.log shows msiexec being blocked:
    SUCCESS PSCRULES: Process:4704:132973514566025764 (c:\windows\system32\msiexec.exe) sha256:0A8797D088023A7F17BB00B22FF7C91036070CCA561BFF5337C472313C0CB4AD Op:REG_DELETE_VALUE TargetType:REGISTRY (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}\EstimatedSize) was:Block by policy:1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D rule:4DAF85DC-04B3-4058-BD15-9AF21080A286 (Tamper protect CbD uninstall/upgrade registry keys and values)
  • Update log shows:
    Could not delete value Comments from key \Software\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}. System error . Verify that you have sufficient access to that key, or contact your support personnel.
  • "c:\program files\confer repcli find msiexec.exe" shows msiexec as unsigned: 
    "Signature Info" - "Not Digitally Signed"

Cause

Sensor is not treating msiexec as signed and therefore tamper protection blocks the uninstall/upgrade.

Resolution

.  Workaround:
  1. Update via the Carbon Black Cloud console
or:
  1. Place sensor into bypass Bypass
  2. Update
  3. Remove sensor out of bypass

After an upgrade to 3.8+ is completed, the sensor will no longer lose track of the signature state and will re-confirm the signature status of msiexec.exe

Additional Notes

This query can help identify what machines may be affected (ran via the investigate page)
device_os:WINDOWS AND process_name:"c:\\windows\\system32\\msiexec.exe" AND process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-07-2022
Views:
230
Contributors