Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

PSC: GPO upgrade fails on Sensor version 3.2.x.x

PSC: GPO upgrade fails on Sensor version 3.2.x.x

Environment

  • Cb Defense Sensor: 3.2.x.x and higher
  • Microsoft Windows: All supported versions
  • GPO is used to upgrade Sensor from 3.2.x.x to a higher version

Symptoms

  • Group Policy upgrade from 3.2.1.x sensor version will fail 
  • Sensor 3.2.1.x will remain installed and continue to function
  • MSI log will contain only a single entry referencing the Installer upgrade code

Cause

Group Policy upgrade from 3.2.1.x sensor version will fail unless the FilterMSI value is added to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense key.


Resolution

  1. Enable Sensor Bypass  from the PSC Console, Sensor UI, or Command Line
  1. Create FilterMSI registry value (Manual or with a Group Policy immediate task)
  • Manual

a. Open Regedit and navigate the registry key tree to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense
b. Right click in a blank space in the right pane and select New > DWORD (32 bit value)
c. Name the value FilterMSI and leave the data set to 0
  • Group Policy immediate task

a. Create Batch File
"c:\program files\confer\uninstall.exe" /bypass 1 <uninstall code>

reg add HKLM\SYSTEM\CurrentControlSet\services\CbDefense /v FilterMSI /t REG_DWORD /d 0

TIMEOUT /t 2

"c:\program files\confer\uninstall.exe" /bypass 0 <uninstall code>

NOTE: Before following these steps create a batch file in a commonly accessible network folder the same way you would place the MSI for Group Policy installation.  Put the following script inside the batch file and replace <uninstall code> with your uninstall code if Require code to uninstall sensor is enabled in the sensor policy otherwise delete <uninstall code> from the script.

b. In the Group Policy Management (GPO) Editor, go to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks.
c. Right click and select New > Immediate Task (At least Windows 7)
d. On the General tab, enter a name for the task and under security options select Change User or Group. In the Select User or Group dialog enter system in the object name to select text box.  Click check names e. and click OK if the highlighted entry is SYSTEM. Click OK again in the Select User or Group dialog.
f. Select the Run whether user is logged on or not option and check the Run with highest privileges checkbox.
g. In the Configure for drop down menu at the bottom of the general tab select Windows 7, Windows Server 2008. 
User-added image


h. On the Common tab check Apply once and do not reapply.  
User-added image

i. On the Actions tab click New… an make sure the Action drop down is set to Start a program and in the Program/script text box enter the full path to the batch script created in step 1 and click OK.  (There is a bug where the New Action dialog may crash if you select the file by using browse) 
User-added image

j. Click OK to set the new immediate task.
k. Force a Group Policy update and the task will run immediately. It is possible to check for the FilterMSI value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense to see that the policy was applied successfully.
WARNING: If using this method, it recommended to change the org’s uninstall code once this task has been completed since it may have been exposed in plain text format.
    1. Disable Sensor Bypass  from the PSC Console, Sensor UI, or Command Line

    Related Content


    Was this article helpful? Yes No
    100% helpful (1/1)
    Article Information
    Author:
    Creation Date:
    ‎09-09-2020
    Views:
    3029
    Contributors