Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Unable to save the Windows Sensor logs on 3.6 and above

Carbon Black Cloud: Unable to save the Windows Sensor logs on 3.6 and above

Environment

  • Carbon Black Cloud Windows Sensor: 3.6 and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • Observe the following error when selecting C:\ProgramData\CarbonBlack
You don't currently have permission to access this folder.
Click Continue to permanently get access to this folder.
  • When Continue is selected, observe a new error
You have been denied permission to access this folder.
To gain access to this folder you will need to use the security tab.
  • If the security tab is selected and the Advanced button is selected to change owner, the owner cannot be displayed
Name: C:\ProgramData\CarbonBlack
Owner: Unable to display current owner
  • If Change is selected, observe that System is owner and cannot be changed
Name: C:\ProgramData\CarbonBlack
Owner: System

Cause

Permission to C:\ProgramData\CarbonBlack is denied and the owner cannot be changed from System due to Carbon Black tamper protection

Resolution

  1. Disable Sensor Tamper Protection and Enforcement by Enabling Bypass. There are several ways this can be accomplished. See Carbon Black Cloud: How to Get Started With Bypass Mode
  2. If Bypass is not available or possible, boot the device into Windows Safe Mode and attempt to manually collect sensor logs by zipping the following directory: C:\ProgramData\CarbonBlack 

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-01-2020
Views:
1381
Contributors