Environment
- EDR (formerly CB Response) sensor: 7.2.0 and above
- Microsoft Windows: All Supported versions
Symptoms
sc stop carbonblackk no longer works with 7.2.0 and above to stop sensor service
Cause
This is due to the new tamper protection feature added to sensor 7.2.0
Resolution
From an elevated command prompt run 'fltmc unload carbonblackk' to unload the kernel driver after tamper protection is confirmed to be disabled
Additional Notes
- To verify the driver has been unloaded run 'fltmc' in an elevated command prompt to confirm 'carbonblackk' is not listed
- Restarting the sensor service can be accomplished by starting the sensor service using the msc snapin or rebooting the endpoint
Related Content