Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to reset Live Response

EDR: How to reset Live Response

Environment

  • EDR Server: All Versions
    • Live Response

Objective

Reset Live Response to resolve usability issues

Resolution

  1. Stop Live Response
    • 7.4 and Above: /usr/share/cb/cbservice cb-liveresponse stop
    • 7.3 and Below: service cb-liveresponse stop
  2. mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d)
  3. mkdir /var/cb/data/live-response/sessions
  4. chown cb.cb /var/cb/data/live-response/sessions
  5. chmod 700 /var/cb/data/live-response/sessions
  6. Start Live Response
    • 7.4 and Above: /usr/share/cb/cbservice cb-liveresponse start
    • 7.3 and Below: service cb-liveresponse start
  • These steps can be ran as a single line, if running as a sudo user:
    • 7.4 and Above:
/usr/share/cb/cbservice cb-liveresponse stop && mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d) && mkdir /var/cb/data/live-response/sessions && chown cb.cb /var/cb/data/live-response/sessions && chmod 700 /var/cb/data/live-response/sessions && /usr/share/cb/cbservice cb-liveresponse start
  • 7.3 and Below: 
cbservice cb-liveresponse stop && mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d) && mkdir /var/cb/data/live-response/sessions && chown cb.cb /var/cb/data/live-response/sessions && chmod 700 /var/cb/data/live-response/sessions && cbservice cb-liveresponse start


 

Additional Notes

Once performance is confirmed the sessions.bak file can be deleted

Related Content


Labels (2)
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-07-2021
Views:
675
Contributors