logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: sensor is non-functional if carbonblack.db file can't be decrypted

EDR: sensor is non-functional if carbonblack.db file can't be decrypted

Environment

EDR OSX sensor: 6.2.6 and 6.3

Symptoms

  • OSX sensor stops reporting to the server.
  • Sensor log shows:
"E1017 12:48:47.310252 435830208 SensorDatabase.cpp:889] OpenEncryptDBHandle : could not access DB post encryption: file is encrypted or is not a database Result[26]
E1017 12:48:47.310557 435830208 SensorDatabase.cpp:896] OpenEncryptDBHandle : could not reopen sqlite db: unable to open database file Result[14]
E1017 12:48:47.310600 435830208 SensorDatabase.cpp:79] Start: SensorDatabase could not open db file[/var/lib/cb/carbonblack.db
E1017 12:48:47.310628 435830208 sensor_service.cpp:400] on_startUnable to start the Sensor Database

Cause

Bug CB-33318.

Resolution

  • This issue will be fixed on a future version.
  • Workaround:
1. Make sure AV exclusions are in place
2. Make sure installing sensor with the root account and enable full disk access.
3. Remove the carbonblack.db from the /var/lib/cb directory
4. Restart the sensor

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-04-2020
Views:
332
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.