Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Rollback 5.2.5 and 6.0.1 Windows Sensors

Rollback 5.2.5 and 6.0.1 Windows Sensors

Version

Cb Response Windows Sensor 5.2.5.70202 (Deployed via Cb Response 5.2.6)

Topic

How to roll back sensors from 5.2.5.70202 to 5.2.1.61026, or 6.0.1.70205 to 6.0.0.61201 and remove these from the UI

Issue

The Windows Sensor Version 5.2.5 creates a deadlock condition that is exacerbated when you attempt to install/uninstall programs on the affected machine. Check here for more information on the issue:

Please Read: Issues identified in Cb Response v.5.2.5/6.0.1 Windows and v.5.2.6 MacOS sensors

Solution

Cb Response Engineers have found a temporary solution to mitigate the deadlock issue on the 5.2.5 Windows Sensor by disabling "Binary Module Loads." Following this all sensors should be rolled back to the previously stable version.

  1. Mitigate the Deadlock by disabling "Binary Module Loads"

    Administration > Sensors > Select Relevant Group (drop down) > Edit Settings > Event Collection (tab) > uncheck Binary Module Loads

  2. Downgrade to previously stable version

    Under Edit Group Settings > Upgrade Policy (tab) > Windows Automatically upgrade to a specific version > Select 5.2.1.61026 or 6.0.0.61201 (drop down)

    Note: Only if you do not have a stable version to downgrade to, follow the below steps 2a through 2d to install a stable version.

    1. Login as the root user to the Cb Response Master server:
    2. Verify the available list of Sensors to download:
      yum clean all
      yum info cb*sensor*
    3. Install a specific version
      yum install cb-sensor-5.2.1.61026-win
    4. For the OS X / macOS Sensor, v5.2.5.70103 is the suggested version:
      yum install cb-osx-sensor
    5. Restart the services from the Master Server only:
      service cb-enterprise restart
  3. Unlock Remaining Sensors
    Follow these instructions for any sensors that didn’t automatically downgrade

    1. Restart the host
      This should free up the system and that usually allows the downgrade to happen on next checkin

    2. Uninstall the Sensor
      If restarting the host still doesn't work, uninstall and reinstall the sensor
      1. Stop the kernel driver by executing the follow at the windows command prompt
        sc stop carbonblackk
      2. Attempt to uninstall the sensor either via add/remove programs or via silent uninstall
        %WINDIR%\CarbonBlack\uninst.exe /S
        Note: If you get "access is denied" to the "sc stop" commands even as Administrator, please confirm if Protection is deployed to the server and disable tamper protection. 
        Check out this guide for more information:  Uninstall Carbon Black sensor from Windows fails
      3. Reinstall the previously stable sensor either via a 3rd party software delivery tool (GPO installer) or via the EXE installer
  4. Re-enable Binary Module Loads in your sensor groups once the rollback is complete

  5. Next, delete the problematic Sensor version from the system to prevent it from appearing in the UI
    1. For the Windows Sensor:
      1. Login as the root user to the Cb Response Master server and identify the installed versions:
        cd /usr/share/cb/coreservices/installers/
        ls -la
      2. Remove the installers for Windows:
        rm -f /usr/share/cb/coreservices/installers/*5.2.5*
        rm -f /usr/share/cb/setup/sensor-installers/*5.2.5*
      3. Restart the services from the Master Server only:
        service cb-enterprise restart
      4. This version will no longer appear in the UI
    2. For the MacOS Sensor:
      1. Login as the root user to the Cb Response Master server and identify the installed versions:
        cd /usr/share/cb/coreservices/installers/osx
        ls -la
      2. Remove the installer:
        rm -f /usr/share/cb/coreservices/installers/osx/*5.2.6*
        rm -f /usr/share/cb/setup/sensor-installers/osx/*5.2.6*
        Restart the services from the Master Server only:
        service cb-enterprise restart
      3. This version will no longer appear in the UI

Note: If you upgraded, there is no issue with continuing to run the 5.2.6 Cb Response Server. However 5.2.6 MacOS sensors should also be downgraded to the previous stable version, 5.2.5.70103. Check here for more information:

Please Read: Issues identified in Cb Response v.5.2.5/6.0.1 Windows and v.5.2.6 MacOS sensors

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-20-2017
Views:
1877
Contributors