Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Receiving Events with the Description: "Data is bad for Config List entry"

App Control: Receiving Events with the Description: "Data is bad for Config List entry"

Environment

  • App Control Console: All Supported Versions

Symptoms

  • Events that match:
    • Subtype: "Server Configlist Error"
    • Description: "Data is Bad for Configlist Entry"

Cause

  • "Data is bad for config list entry" means that an agent received config list change and the instruction or details on the config list was mostly likely corrupted that the agent does not know how to apply it
  • A config list entry is created whenever a system config change or rule change or file state change (like ban or approval, etc.)

Resolution

From Report Events, check how many machines under the Source column are reporting the "data is bad for config list entry"

Less than 5 machines, please use solution: Agent Cache Corruption to fix the cache as there is some entries on the cache's file inventory that is reporting a bad hash to the server

More than 5 machines reporting this event, it means that there's a CL entry that agents are unable to process due to the configlist.xml getting corrupted. The errors.bt9 file on the agents will show a message of being unable to process some CL version(s). To resolve this, go to the App Control Server:
  1. Browse to App Control Server Installation:
    •  C:\Program Files (x86)\Bit9\Parity Server\hostpkg\
    • C:\Program Files (x86)\Bit9\Parity Server\configxml\
  2.  Make a backup of all "configlist..."  files outside of those folders
  3. Removed all "configlist..." files from those folders and restart the App Control Server Service
  4. A new configlist files will get created

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-04-2023
Views:
344
Contributors