Version
Cb Response Windows Sensor 5.2.5.70202 (Deployed via Cb Response 5.2.6)
Topic
How to roll back sensors from 5.2.5.70202 to 5.2.1.61026, or 6.0.1.70205 to 6.0.0.61201 and remove these from the UI
Issue
The Windows Sensor Version 5.2.5 creates a deadlock condition that is exacerbated when you attempt to install/uninstall programs on the affected machine. Check here for more information on the issue:
Please Read: Issues identified in Cb Response v.5.2.5/6.0.1 Windows and v.5.2.6 MacOS sensors
Solution
Cb Response Engineers have found a temporary solution to mitigate the deadlock issue on the 5.2.5 Windows Sensor by disabling "Binary Module Loads." Following this all sensors should be rolled back to the previously stable version.
- Mitigate the Deadlock by disabling "Binary Module Loads"
Administration > Sensors > Select Relevant Group (drop down) > Edit Settings > Event Collection (tab) > uncheck Binary Module Loads |
Downgrade to previously stable version
Under Edit Group Settings > Upgrade Policy (tab) > Windows Automatically upgrade to a specific version > Select 5.2.1.61026 or 6.0.0.61201 (drop down) |
Note: Only if you do not have a stable version to downgrade to, follow the below steps 2a through 2d to install a stable version.
- Login as the root user to the Cb Response Master server:
- Verify the available list of Sensors to download:
yum clean all
yum info cb*sensor* |
- Install a specific version
| yum install cb-sensor-5.2.1.61026-win |
- For the OS X / macOS Sensor, v5.2.5.70103 is the suggested version:
| yum install cb-osx-sensor |
- Restart the services from the Master Server only:
| service cb-enterprise restart |
Unlock Remaining Sensors
Follow these instructions for any sensors that didn’t automatically downgrade
Restart the host
This should free up the system and that usually allows the downgrade to happen on next checkin
- Uninstall the Sensor
If restarting the host still doesn't work, uninstall and reinstall the sensor- Stop the kernel driver by executing the follow at the windows command prompt
- Attempt to uninstall the sensor either via add/remove programs or via silent uninstall
| %WINDIR%\CarbonBlack\uninst.exe /S |
Note: If you get "access is denied" to the "sc stop" commands even as Administrator, please confirm if Protection is deployed to the server and disable tamper protection.
Check out this guide for more information: Uninstall Carbon Black sensor from Windows fails
- Reinstall the previously stable sensor either via a 3rd party software delivery tool (GPO installer) or via the EXE installer
Re-enable Binary Module Loads in your sensor groups once the rollback is complete
- Next, delete the problematic Sensor version from the system to prevent it from appearing in the UI
- For the Windows Sensor:
- Login as the root user to the Cb Response Master server and identify the installed versions:
cd /usr/share/cb/coreservices/installers/
ls -la |
- Remove the installers for Windows:
rm -f /usr/share/cb/coreservices/installers/*5.2.5*
rm -f /usr/share/cb/setup/sensor-installers/*5.2.5* |
- Restart the services from the Master Server only:
| service cb-enterprise restart |
- This version will no longer appear in the UI
- For the MacOS Sensor:
- Login as the root user to the Cb Response Master server and identify the installed versions:
cd /usr/share/cb/coreservices/installers/osx
ls -la |
- Remove the installer:
rm -f /usr/share/cb/coreservices/installers/osx/*5.2.6*
rm -f /usr/share/cb/setup/sensor-installers/osx/*5.2.6* |
Restart the services from the Master Server only:
| service cb-enterprise restart |
- This version will no longer appear in the UI
Note: If you upgraded, there is no issue with continuing to run the 5.2.6 Cb Response Server. However 5.2.6 MacOS sensors should also be downgraded to the previous stable version, 5.2.5.70103. Check here for more information:
Please Read: Issues identified in Cb Response v.5.2.5/6.0.1 Windows and v.5.2.6 MacOS sensors
