logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Sensor upgrade failure due to missing ELAM drivers

Carbon Black Cloud: Sensor upgrade failure due to missing ELAM drivers

Environment

  • Carbon Black Cloud sensor: 3.6.x - 3.7.0.1503
  • Microsoft Windows 10: Redstone 2 (build 15063) and above
  • Microsoft Windows Server 2012 R2: All versions

Symptoms

  • Upgrade from sensor version 3.6.0.1791 to 3.6.0.2076 or 3.7.0.1253 fails
  • Installer log shows CbElam.sys was not able to uninstall:
INFO install: RunInf: Uninstall for CbELAM.inf
ERROR ERROR: install: RunInf: Unable to open inf file C:\Program Files\Confer\CbELAM.inf: last error 2 0x2
  • MSI errors show a failure during uninstall of CbElam.sys:
CAUninstallDriverService: Uninstalling driver service : elam
CAUninstallDriverService: Error 0x80004005: CAUninstallDriverService: Uninstall driver service failed
  • After the install fails, the installer attempts to leave the existing version intact but fails. ctinet and ctifile install successfully, but CbElam fails:
INFO install: InstallAll: InstallDriver
INFO install: InstallAll: CopyDriver: Copying Driver from CbELAM.sys to C:\WINDOWS\system32\drivers\CbELAM.sys
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR CopyDriver: ERROR: copy CbELAM.sys failed: 2
ERROR InstallFileDriver: ERROR: copy CbELAM.sys failed
ERROR install: InstallDriver failed

Cause

  • Sensor was originally installed to a Windows version that does not support ELAM; after subsequent Windows upgrade, ELAM files were not added
  • ELAM driver backup file missing from C:\Windows\ELAMBKUP directory
  • ELAM entirely missing:
    • C:\Program Files\Confer\CbELAM.inf
    • c:\windows\elambkup\cbelam.sys
    • c:\program files\confer\cbelam.sys

Resolution

  1. Place the affected device into bypass mode
  2. Copy the missing file(s) from a device that has the same version installed
    • cbELAM.cat, cbELAM.inf, cbELAM.sys in C:\Program Files\Confer
    • cbELAM.sys in c:\windows\system32\drivers
    • cbELAM.sys in C:\Windows\ELAMBKUP
  3. Re-attempt the upgrade

Additional Notes

  • This issue is fixed in 3.7.0.1503. Upgrades coming from 3.7.0.1503+ should no longer run into this. Upgrades from an older version to a newer version (Ex 3.7.0.1411 > 3.8.0.722) can run into this.
  • Audit and Remediation customers can run this query to identify devices with this issue: 
    WITH isCbElamMissing AS (
SELECT os.platform, os.build, si.computer_name
FROM os_version AS os, system_info AS si
WHERE (os.platform LIKE 'windows') AND
(CAST(os.build AS INTEGER) >= 15063) AND
((SELECT COUNT(*) FROM file WHERE path LIKE '\windows\system32\drivers\cbelam.sys') = 0)
)
SELECT * FROM isCbElamMissing;

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎10-17-2022
Views:
1391
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.