Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Unable to put Linux Sensors into Bypass via Console

Carbon Black Cloud: Unable to put Linux Sensors into Bypass via Console

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 2.7.0.x and Higher
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Linux: All Supported Versions (with noted support for the above two products)

Symptoms

  • Attempts to enable Bypass mode fail
  • No Observation Event or Process data shown on Investigate page
  • Only Live Response function works
  • No /var/opt/carbonblack/psc/blades directory exists on endpoint OR /var/opt/carbonblack/psc/blades only has /40E797FD-4322-4D33-8E8C-EF697F4C2323 subfolder (only Audit & Remediation is installed)
  • No /var/opt/carbonblack/psc/log/cbagentd-install.log exists on endpoint OR contains message ending with "agent will not run"

Cause

Only dpkg or rpm was installed, either manually or via software provisioning tool ("dpkg -i", "rpm -i"), without installing blades for remaining functionality

Resolution

Follow the instructions in the Sensor Installation Guide to run either install.sh or bladesUnpack.sh to finish installing blades and enable all Sensor functionality

Additional Notes

  • When only the dpkg or rpm install occurs the Sensor only has Live Response functionality
  • Sensor Installation Guide makes it clear that install.sh or bladesUnpack.sh MUST be run after intial dpkg/rpm install

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-01-2020
Views:
994
Contributors