logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Endpoint Standard: Signature Updates Fail With Default Settings

Endpoint Standard: Signature Updates Fail With Default Settings

Environment

  • Carbon Black Cloud (formerly known as CB Defense PSC)Console: 0.45 and higher
  • Endpoint Standard(formerly known as CB Defense): 3.3.x.x and higher
  • Microsoft Windows: All supported versions
  • Local Scanner installled and enabled by policy to use CB servers for updates

Symptoms

  • Signature definitions are out of date as reported in the Console
  • Signature definitions may never update or only update periodically
  • The URL is open through proxy and/or firewall 
    http://updates2.cdc.carbonblack.io/update2
  • The upd.log may include the following error 
    Param 9 --internet-srvs=http://updates2.cdc.carbonblack.io/update2
Callback: No other server, update aborted
Failed to call check for update: 48
Update finished with code 2
  • The confer.log may show the following errors 
    Av.Avt.UpdateServers.GetServerType: on site
Av.Avt.UpdateServers.DoCheck: Found http://updates2.cdc.carbonblack.io/update2, time 0.XXXXXXXX, proxy off
Av.Avt.UpdateServers.Get: on site - http://updates2.cdc.carbonblack.io/update2,, proxy 0, local 0, master 0
Av.Avt.Signature: Update started, it may take a while
Av.Avt.Signature: Failed to update, error 2
  • Pcaps may show the http session initializing successfully and the Sensor successfully downloading the master.idx file and other .info.gz files 
  • The session will end without error and close out 120 seconds later

Cause

  • There is likely something in the perimeter firewall or proxy configuration affecting downloads through http sessions
  • The Local Scanner settings default to http sessions for both onsite and offsite update servers

Resolution

Configure the Local Scanner policy to use https for Signature updates
  1. Select Enforce > Policies
  2. Select the affected policy
  3. Select the Local Scanner tab
  4. Click the Add button for "UPDATE SERVERS FOR INTERNAL DEVICES"
  5. Use the same URL and change the protocol to https 
    https://updates2.cdc.carbonblack.io/update2
  6. Either mark as the Preferred Server by checking the Preferred Servers box or deleting the entry for http
  7. Save policy changes (It may be helpful to update the Sensor UI message so policy change can be confirmed)
  8. Either run update manually with RepCLI or allow the Sensor to update on schedule and monitor results

Additional Notes

  • Sensor versions previous to 3.3.x.x will not be able to update signatures over an https session
  • The settings for offsite update servers can also be changed to https if desired
  • If issues persist and no evidence of traffic blocks is present, please open a support case for assistance

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
6783
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.