Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: How to show Sensors are being Deregistered by a GPO

Cb Defense: How to show Sensors are being Deregistered by a GPO

Environment

  • Cb Defense: All versions
  • Microsoft Windows: All supported versions
  • Sensors Deregistered in Web Console without user intervention

Objective

Determine if GPO settings have caused Sensor Deregistration.

Resolution

  1. Gather date / time for Sensor Deregistration from Console.
  2. Gather Windows Event Logs from Device.
  3. Open Application Event Log.
  4. Check near time for Deregistration for events from Source Name "Application Management Group Policy".
  5. Description for these events may show "The assignment of application <Application Name> from policy <Policy Name> failed."
  6. If they show this value, a GPO policy is in place that is not properly configured. This causes the Sensor to begin a Sensor Upgrade that begins by uninstalling the Sensor which sends the Deregistration message to the Console. If the Upgrade fails the install portion the Device will have no active Sensor until action is taken.

Additional Notes

This issue can be resolved by removing the Device from the GPO membership or by correcting the GPO configuration so it functions correctly for upgrades / installs.

Related Content

Cb Defense: Considerations for unattended installation of the sensor via GPO &amp; AD

Cb Defense: How to Deploy Windows Sensors using GPO

Cb Defense: Sensor Uninstalled After Attempted Upgrade (GPO)

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-27-2018
Views:
731
Contributors