EDR: Timeout sessions in CBLR are not clearing
search cancel

EDR: Timeout sessions in CBLR are not clearing

book

Article ID: 284753

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • If an EDR LiveResponse session goes into a "timeout" state, it cannot be closed.  
  • The "session close" command reports that the session is closed, but it never goes away and remains in a timeout state.

Environment

  • EDR (Formerly CB Response) Server: 6.x 
  • EDR (Formerly CB Response) Sensor: 5.2.5 and Higher

Cause

These symptoms are related to several known issues, tracked as:
  • CB-12852
  • CB-20837
  • CB-20632
These issues will be addressed in a future release. 

Resolution

  1. Stop Live Response service:
# service cb-liveresponse stop
  1. Backup the sessions folder
# mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d)
  1. Make a new sessions directory
# mkdir /var/cb/data/live-response/sessions
  1. change ownership of the new directory
# chown cb.cb /var/cb/data/live-response/sessions
  1. Change permissions of the new directory
# chmod 700 /var/cb/data/live-response/sessions
  1. Start Live Response services
# service cb-liveresponse start

Optional steps:
  1. Remove expired session directories for any directories that are older than a couple of days (i.e. likely expired):
# rm -rf /apps/cb/data/live-response/sessions/<session ID>
  1. Navigate to the CB Response UI
  2. Click the Go Live tab (global scope) before the sensors check-in
  3. Run:
session list
  1. Choose some sessions and close them:
session close <ID>

Additional Information

  • If this session close command fails, it might not be possible to remove the expired sessions due to known issue CB-20632.