logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Tamper Protection Password History is Currently Removed when the Group is Deleted

EDR: Tamper Protection Password History is Currently Removed when the Group is Deleted

Environment

  • EDR Server: 7.7.x 
  • EDR Windows Sensor:  7.3.x

Symptoms

The sensor cannot be manually uninstalled with uninst.exe due to the Tamper Protection passwords were deleted when the associated Sensor Group was deleted.

Cause

When a Sensor Group is deleted, the entries for that group are also removed from the Postgres Tamper_Protection_History table.  If a sensor is identified with a problem after the group is deleted, the only recourse is reboot into Safe Mode.

Resolution

Until EDR is modified to maintain the deleted group's Tamper Protection history, physical access is required to uninstall a sensor in Tamper Protection mode.
1. Disable Microsoft Protection API via Safe Mode.
a.  From the login page, hold down the Shift key + select Power > Restart.    Keep holding down the Shift key past reboot until a screen with options appears.
b.  Select "Troubleshoot" block.
c.  Select "Advanced Options" block.
d.  Select "Startup Settings" block.
e.  Read the options carefully as they may have changed.  Select the option similar to "Disable early launch anti-malware protection".  It was option 8 as of this writing.
2.  The system reboots and tamper protection should be removed. 
3.  Uninstall Carbon Black sensor. 
C:\Windows\CarbonBlack\uninst.exe


 

Additional Notes

  • The methods to access the EDR sensor with Tamper Protection enabled is 1) via the EDR console, 2) CbEDRCLI.exe or 3) Safe Mode. 
  • Prior to obtaining physical access to reboot into Safe Mode, consider
    a) Reboot the failed sensor.  Sometimes after an upgrade the sensor needs to a reboot to reset the drivers. This may enable communication to the EDR server.
    b) Move the sensor temporarily to a new group with Tamper Protection off.  It is possible that after a reboot, the sensor may checkin to report a problem and obtain the new configuration. 
    c) If the group was deleted, the sensor may have moved to the Default group.   Either attempt to access the sensor using CbEDRCLI and the Default group Tamper Protect password, or check the sensors registry to determine the last group recorded (HKLM\SOFTWARE\CarbonBlack\Config\ConfigName)

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-14-2022
Views:
417
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.