logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Sensor upgrade failure due to missing ELAM drivers

Carbon Black Cloud: Sensor upgrade failure due to missing ELAM drivers

Environment

  • Carbon Black Cloud sensor: 3.6.x - 3.7.0.1503
  • Microsoft Windows 10: Redstone 2 (build 15063) and above
  • Microsoft Windows Server 2012 R2: All versions

Symptoms

  • Upgrade from sensor version 3.6.0.1791 to 3.6.0.2076 or 3.7.0.1253 fails
  • Installer log shows CbElam.sys was not able to uninstall:
INFO install: RunInf: Uninstall for CbELAM.inf
ERROR ERROR: install: RunInf: Unable to open inf file C:\Program Files\Confer\CbELAM.inf: last error 2 0x2
  • MSI errors show a failure during uninstall of CbElam.sys:
CAUninstallDriverService: Uninstalling driver service : elam
CAUninstallDriverService: Error 0x80004005: CAUninstallDriverService: Uninstall driver service failed
  • After the install fails, the installer attempts to leave the existing version intact but fails. ctinet and ctifile install successfully, but CbElam fails:
INFO install: InstallAll: InstallDriver
INFO install: InstallAll: CopyDriver: Copying Driver from CbELAM.sys to C:\WINDOWS\system32\drivers\CbELAM.sys
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR InstallFileDriver: ERROR: copy CbELAM.sys failed
ERROR install: InstallDriver failed

Cause

  • Sensor was originally installed to a Windows version that does not support ELAM; after subsequent Windows upgrade, ELAM files were not added
  • ELAM driver backup file missing from C:\Windows\ELAMBKUP directory
  • ELAM entirely missing:
    • C:\Program Files\Confer\CbELAM.inf
    • c:\windows\elambkup\cbelam.sys
    • c:\program files\confer\cbelam.sys

Resolution

  1. Place the affected device into bypass mode
  2. Copy the missing file(s) from a device that has the same version installed
    • cbELAM.cat, cbELAM.inf, cbELAM.sys in C:\Program Files\Confer
    • cbELAM.sys in c:\windows\system32\drivers
    • cbELAM.sys in C:\Windows\ELAMBKUP
  3. Re-attempt the upgrade

Additional Notes

  • This issue is fixed in 3.7.0.1503. Upgrades coming from 3.7.0.1503+ should no longer run into this. Upgrades from an older version to a newer version (Ex 3.7.0.1411 > 3.8.0.722) can run into this.
  • Audit and Remediation customers can run this query to identify devices with this issue: 
    WITH isCbElamMissing AS (
SELECT os.platform, os.build, si.computer_name
FROM os_version AS os, system_info AS si
WHERE (os.platform LIKE 'windows') AND
(CAST(os.build AS INTEGER) >= 15063) AND
((SELECT COUNT(*) FROM file WHERE path LIKE '\windows\system32\drivers\cbelam.sys') = 0)
)
SELECT * FROM isCbElamMissing;

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎10-17-2022
Views:
1370
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.