Endpoint Standard: Sensors Roll Back Definitions When Updating From Local Mirror
search cancel

Endpoint Standard: Sensors Roll Back Definitions When Updating From Local Mirror

book

Article ID: 284872

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Sensors will show in the console as out of date
  • Many of the out-of-date Sensors will show the same signature date
  • Sensors may update signatures to latest available from the CB update server
  • Sensors will then show out of date at a later time having reverted to the previous out-of-date signature
  • The upd.log file (C:Program Files\Confer\Scanner\upd.log) shows the definitions rolled back after updating from the local mirror server 
    Callback: C:\Program Files\Confer\scanner\Data_1\aevdf.dat CurrentVersion != LocalMirrorVersion -> File will be rolled back.dll
Callback: C:\Program Files\Confer\scanner\Data_1\xbvXXXXX.vdf CurrentVersion != LocalMirrorVersion -> File will be rolled back

Environment

  • Endpoint Standard CBC Console: All versions
  • Endpoint Standard CBC Sensor: All versions
    • Microsoft Windows: All supported versions
  • Local Mirror: All versions
    • Linux OS: All supported versions
    • Microsoft Windows: All supported versions

Cause

The Sensor is updating from both CB's update server and an out-of-date local mirror server

Resolution

Set up a scheduled task or cron job to run the update scripts on the local mirror server

Additional Information

  • If the Sensor's policy is configured to use both CB's update server and the local mirror, the Sensor will check both servers and use the server with the fastest response time
  • If the Sensor connects to the local mirror server and it is out-of-date, the Sensor will roll back definitions to the Signature pack available on the local mirror
  • To explore the idea of changing this behavior, please see this post on Idea Central
  • The update process on the local mirror must be run manually or set up to run on a schedule using OS tools such as Task Scheduler in Windows or cron in Linux
  • See the Local Mirror troubleshooting KB if the scheduled task is setup and running and updates are still not occurring
Powered by Wolken Software