Environment
- EDR Server: All Versions
- EDR Sensor: All Versions
Symptoms
When reinstalling a sensor with a new sensor group package, the sensor is still showing in the previous sensor group that it was last installed into.
Cause
This is expected behavior when VDI checks are enabled.
Resolution
Workarounds:
Option 1: Move the sensor entry in the console to the new group prior to reinstall
Option 2: Disable VDI checks
Additional Notes
- This is working as designed, the sensor checks in on a regular basis. At each checkin the sensor will check with the server to see if anything in the group settings has changed. If it has, the sensor will receive the new info. This more effectivey works for sensors that are offline. If an admin changes the sensor group and the endpoint checks in a day later, the expectations of the Admin will be that the sensor will report to that sensor group upon next checkin. Installing via a different group package with VDI enabled works in a similar way, the sensor will be installed with all the settings of the new group, but once it checks in and the server see's a match to the VDI settings, it will then see the group id in the Postgres DB of the sensors last known group and re-assign it.
- Re-installing by group package is not the recommended way to migrate sensors to a new group. If there are many sensors that need to be moved, instead try cbapi to script the move of sensors based on unique info. This example script can be modified to do something like this. https://github.com/carbonblack/cbapi-python/blob/master/examples/response/sensor_group_operations.py
