logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Unloading the Linux Sensor Module Fails

EDR: Unloading the Linux Sensor Module Fails

Environment

  • EDR Sensor: All Supported Versions
  • Linux: All Supported Versions

Symptoms

Message received when running `rmmod cbsensor` 
rmmod: ERROR: could not remove 'cbsensor': Device or resource busy

Cause

As of sensor 6.1.7, cbsensor requires that rmmod or similar calls that unload the cbsensor module be invoked twice to fully unload the module.

Resolution

  • Execute the command a second time after the error
    • Example
rmmod cbsensor

Additional Notes

  • The cbsensor detects if system call or LSM hooks have been modified since cbsensor loaded.
  • If these hooks have been modified, then cbsensor refuses to unload to prevent a kernel crash and the EDR Sensor is not operational until the situation is resolved.
  • The first call to unload checks and restores the system call LSM hooks, if it is safe to do so, and returns error EBUSY while it restores these hooks.
  • The second call succeeds if system calls and LSM hooks have not been modified since cbsensor was first loaded.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎03-08-2019
Views:
796
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.