Environment
- Carbon Black Cloud (formerly known as CB Defense PSC)Console: 0.45 and higher
- Endpoint Standard(formerly known as CB Defense): 3.3.x.x and higher
- Microsoft Windows: All supported versions
- Local Scanner installled and enabled by policy to use CB servers for updates
Symptoms
- Signature definitions are out of date as reported in the Console
- Signature definitions may never update or only update periodically
- The URL is open through proxy and/or firewall
http://updates2.cdc.carbonblack.io/update2
- The upd.log may include the following error
Param 9 --internet-srvs=http://updates2.cdc.carbonblack.io/update2
Callback: No other server, update aborted
Failed to call check for update: 48
Update finished with code 2
- The confer.log may show the following errors
Av.Avt.UpdateServers.GetServerType: on site
Av.Avt.UpdateServers.DoCheck: Found http://updates2.cdc.carbonblack.io/update2, time 0.XXXXXXXX, proxy off
Av.Avt.UpdateServers.Get: on site - http://updates2.cdc.carbonblack.io/update2,, proxy 0, local 0, master 0
Av.Avt.Signature: Update started, it may take a while
Av.Avt.Signature: Failed to update, error 2
- Pcaps may show the http session initializing successfully and the Sensor successfully downloading the master.idx file and other .info.gz files
- The session will end without error and close out 120 seconds later
Cause
- There is likely something in the perimeter firewall or proxy configuration affecting downloads through http sessions
- The Local Scanner settings default to http sessions for both onsite and offsite update servers
Resolution
Configure the Local Scanner policy to use https for Signature updates
- Select Enforce > Policies
- Select the affected policy
- Select the Local Scanner tab
- Click the Add button for "UPDATE SERVERS FOR INTERNAL DEVICES"
- Use the same URL and change the protocol to https
https://updates2.cdc.carbonblack.io/update2
- Either mark as the Preferred Server by checking the Preferred Servers box or deleting the entry for http
- Save policy changes (It may be helpful to update the Sensor UI message so policy change can be confirmed)
- Either run update manually with RepCLI or allow the Sensor to update on schedule and monitor results
Additional Notes
- Sensor versions previous to 3.3.x.x will not be able to update signatures over an https session
- The settings for offsite update servers can also be changed to https if desired
- If issues persist and no evidence of traffic blocks is present, please open a support case for assistance
Related Content