Version
Cb 5.0.0 or higher
Bit9 v 7.2.0 or higher
Issue
Unable to successfully uninstall the Carbon Black sensor from a Windows host.
Symptoms
After uninstall - Sensor.LOG
2015-04-14 08:24:41: Attempting self-uninstall... 2015-04-14 08:24:41: Entering self-uninstall... 2015-04-14 08:24:41: OpenService call on CarbonBlackK 2015-04-14 08:24:41: Querying service configuration 2015-04-14 08:24:41: Deleting file \??\C:\Windows\system32\drivers\cbk7.sys 2015-04-14 08:24:41: File Deleted Successfully 2015-04-14 08:24:41: Deleting Service 2015-04-14 08:24:41: Uninstall completed successfully 2015-04-14 08:24:41: Uninstalled core driver 2015-04-14 08:24:41: OpenService call on cbstream 2015-04-14 08:24:41: Querying service configuration 2015-04-14 08:24:41: Deleting file \??\C:\Windows\system32\drivers\cbstream.sys 2015-04-14 08:24:41: File Deleted Successfully 2015-04-14 08:24:41: Deleting Service 2015-04-14 08:24:41: Uninstall completed successfully 2015-04-14 08:24:41: Uninstalled Netmon driver 2015-04-14 08:24:41: Unable to launch uninstaller [hr=0x80070005] 2015-04-14 08:24:41: Notifying server of uninstall result - 1 [CoreDrv: 0x00000000 NetMonDrv: 0x00000000 Uninstaller: 0x80070005 ] 2015-04-14 08:24:41: Notification of uninstall to server result [hr=0x00000000] 2015-04-14 08:24:41: Service uninstall attempt failed; hr=0x8000ffff 2015-04-14 08:24:41: File store is stopped 2015-04-14 08:24:41: Core Driver IO completed; disconnecting... 2015-04-14 08:24:41: File store is stopped 2015-04-14 08:24:41: Core Driver IO completed; disconnecting... |
Another message that may be observed is:
| Pid[07DC] Tid[0848] 2017-01-12 14:59:12 CbServer::_Synch : Upgrade attempt completed HrError[0xC0000005] |
Cause
The cause is the Bit9 agent Carbon Black tamper protection updater. The Carbon Black directories are included in the tamper protection settings and that includes preventing the Carbon Black server from uninstalling a sensor.
Solution
Steps for Cb Protection 7.x
If the Cb Protection agent is connected and visible in the Console, open the Rules-> Software Rules-> Updaters tab. Locate and Disable the Windows 'Carbon Black Tamper Protection' Updater. This will globally disable the 'Carbon Black Tamper Protection' Updater.
Steps for Cb Protection 8.x
Starting with Cb Protection 8.0, the Cb Tamper Protection Updater was replaced with a Rapid Configuration. You'll find this in the console by going to Rules > Software Rules > Rapid Configs. Locate and disable the "Cb Response Tamper Protection" configuration in order to disable tamper for Cb Response sensors.
If the Cb Protection agent is not connected to the server, the following steps can be performed to manually disable the 'Carbon Black Tamper Protection' Updater:
1. Open Command prompt and run the following DASCLI commands
a) dascli password <CLI or GLOBAL password>
b) dascli kernelconfig CarbonBlackTamperProtection 0
2. Complete the Carbon Black sensor uninstall
3. dascli kernelconfig CarbonBlackTamperProtection 1
a) this turns the Bit9 agent CB tamper protection back on
Important Note(s)
Check Bit9 logs to make sure there are tamper protection events being generated for the Carbon Black uninstall agents.
