Environment
- Cb Response: Windows Sensor 5.x, 6.x
- Cb Protection: Windows Agent 8.x
- Microsoft Windows
Symptoms
- Sensor Upgrade takes place, disconnecting the sensor.
- Device shows connected in Cb Protection, but not Cb Response
- Devices reconnect when the Cb Response Tamper Protection Rapid Config is disabled.
- The Versions of the Rapid Config is 26 or lower (add version column in Rapid Config tab)
Cause
The cause of this issue, is an out of date Rapid Config rule on the agent. The old version of the rapid config did not include binaries and changes that the new sensors use, thus the upgrade is denied. An upgrade to this Rapid Config is pushed automatically through the CDC connection, but if this is disabled or disconnected you may still have the old rule.
Resolution
Two resolutions exist, first to update the rule automatically and secondly to do a manual update.
Automatic Update
- In the Cb Protection console navigate to Administration (Gear in top right corner) > System Configuration > And select the Licensing Tab
- Check if the Cb Collective Defense Cloud is enabled. If not enabled, enable this and read through all the options, as some options do share data with Carbon Black.
- If this is already enabled, click the Options button, and make sure the option: Enable Automatic Update of Updaters, Advanced Threat Indicators, Rapid Configs and Content Analysis Rules is enabled.
Manual Upgrade
- Navigate to the following download location: https://sflinks.carbonblack.com/zoHESD-k2cM/
- Download the PDF for full directions, and the update file CbResponseTamperProtectionRapidConfig.b9u
Related Content
Sensor Upgrade Disconnects when Cb Protection 7.x Agent is Installed: Cb Response: Sensor Upgrade Disconnects when Cb Protection 7.x Agent Installed