Endpoint Standard: Signature Pack Version Has Not Updated Since August 1, 2019

Endpoint Standard: Signature Pack Version Has Not Updated Since August 1, 2019

Environment

  • Carbon Black Cloud (Formerly PSC) Console: All versions
  • Endpoint Standard Sensor: 2.x.x.x and higher
  • Microsoft Windows: All supported versions
  • Local Scanner enabled
  • Sensors configured to use Carbon Black Cloud Update Server or Local Mirror

Symptoms

  • Sensors are no longer updating Local Scanner Signature packs
  • The latest Signature Pack version is 8.16.19.252 with a time stamp of 2019-08-01T21:15
  • Tests to reach CB Update Servers fail

Cause

This is related to a known issue with Signature Pack updates

Resolution

For environments that utilize Local Mirror Server, please use CB Defense: Local Mirror Update Servers Not Updating Since August 1 (Linux) or CB Defense: Local Mirror Update Servers Not Updating Since August 1 (Windows)

For endpoints that use Carbon Black Cloud Update Server, use one of the following methods to resolve the issue

A. To resolve issue with reboot (no Sensor upgrade required) 

  1. Go to Enforce > Policies and review the 'Local Scan' tab to ensure the 'Update Servers' have been updated to the URL below
    http://updates2.cdc.carbonblack.io/update2
    1. If yes, proceed to apply the solution
    2. If not, your Carbon Black Cloud org has not yet received the necessary backend update; Check again later, do not apply the solution until the URL is updated
WARNING: Do not change the 'Update Servers' URL manually; It will update automatically once the backend fix is deployed for your Carbon Black Cloud org. 
  1. Ensure traffic to the new 'Update Servers' URL is allowed through proxies and firewalls without packet inspection
    updates2.cdc.carbonblack.io
  2. Reboot devices
  3. Allow 6-12 hours for Sensors to first receive an update to resolve current Sensor state and then receive the latest Signature pack update
NOTE: The updates can be forced in one of the following ways: 
  1. Verify that signatures are updating on rebooted machines: CB Defense: How to verify AV Signatures are updating
  2. If updates have not resumed 24 hours after applying the solution, please open a support case

B. To resolve issue with Sensor upgrade to 3.4.0.1052 (no reboot required)

  1. Go to Endpoints > Sensor Options > Download Sensor Kits and check that 3.4.0.1052 Windows Sensor is available
    1. If yes, proceed to apply the solution 
    2. If not, Sensor 3.4.0.1052 has not yet been published to your CB Defense org; Check back later
  2. Ensure traffic to the new 'Update Servers' URL is allowed through proxies and firewalls without packet inspection
    updates2.cdc.carbonblack.io 
WARNING: Do not change the 'Update Servers' URL manually; It will update automatically once the backend fix is deployed for your Carbon Black Cloud org.
  1. Upgrade all devices to the 3.4.0.1052 version Sensor
    1. If upgrading from a 3.3.x.x version, complete an in-place upgrade 
    2. If upgrading from 3.2.1.51 or earlier version, be aware that Firewall/Proxy requirements have changed: CB Defense: Sensor not connecting via proxy/firewall
    3. If upgrading from 2.x.x.x or 3.0.x.x, be aware of the following additional considerations:
  2. Wait for signatures to start updating again; This may take a few days as the necessary backend update is being rolled out in a phased manner
    • You can verify that your Carbon Black Cloud org has received the backed update by going to Enforce > Policies and reviewing the 'Local Scan' tab to ensure the 'Update Servers' have been updated to the URL below
      http://updates2.cdc.carbonblack.io/update2
      WARNING: Do not change the 'Update Servers' URL manually; It will update automatically once the backend fix is deployed for your CB Defense org.
  3. Verify that signatures are updating on upgraded Sensors: CB Defense: How to verify AV Signatures are updating
  4. If updates have not resumed on upgraded Sensors 24 hours after receiving the backend update, please open a support case

C. To resolve issue by installing new base Signature Pack (no reboot or Sensor upgrade required)

WARNING: This option is not available for Sensor versions 3.0.x.x; Please use option A or B instead.
  1. Ensure traffic to the new 'Update Servers' URL is allowed through proxies and firewalls without packet inspection
    updates2.cdc.carbonblack.io
  2. Download latest base signature pack (20180816 or higher) as described in CB Defense: How to Download the AV Signature Pack
  3. Deploy the new pack to all endpoints using your preferred systems management application: CB Defense: How to Silently Install the AV Signature Pack
NOTE: If doing an interactive installation of the base Signature Pack, you may receive the following error, which is safe to ignore; No error will be displayed or logged in case of silent installation. 
Failed to notify signature pack ready, error 5
  1. Wait for signatures to start updating again; This may take a few days as the necessary backend update is being rolled out in a phased manner
    • You can verify that your Carbon Black Cloud org has received the backed update by going to Enforce > Policies and reviewing the 'Local Scan' tab to ensure the 'Update Servers' have been updated to the URL below
      http://updates2.cdc.carbonblack.io/update2
      WARNING: Do not change the 'Update Servers' URL manually; It will update automatically once the backend fix is deployed for your CB Defense org.
  2. Verify that signatures are updating on machines where new base pack was installed: CB Defense: How to verify AV Signatures are updating
  3. If updates have not resumed on devices with updated signature pack 24 hours after receiving the backend update, please open a support case

Additional Notes

  • Be sure to also apply the solution to all master/golden images used to deploy non-persistent VDIs or physical machines
  • As Sensors resume download of Signature packs, network utilization may increase for a short time; If network bandwidth consumption is a concern, apply the solution in a staggered manner to smaller groups of endpoints
  • Any Sensor version installed on 8/7/2019 or later are not affected and should resume signature updates automatically with no user intervention once the backend change is deployed for your Carbon Black Cloud org
  • Once the fix has been implemented, the Sensors will return to updating Signature packs on the schedule set in the Local Scanner policy
  • The Signature pack version will be updated to the following or later once issue is resolved
    vdf.8.16.20.120
  • An earlier version of this article stated that no solution was available for 2.x.x.x. sensors; Additional investigation has revealed that options A and C can in fact be used to resolve the issue with 2.x.x.x sensors. The article was updated accordingly.

Related Content


Was this article helpful? Yes No
84% helpful (5/6)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
7119
Contributors