Carbon Black Cloud: Unable to put Linux Sensors into Bypass via Console
search cancel

Carbon Black Cloud: Unable to put Linux Sensors into Bypass via Console

book

Article ID: 285072

calendar_today

Updated On: 11-13-2023

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Attempts to enable Bypass mode fail
  • No Observation Event or Process data shown on Investigate page
  • Only Live Response function works
  • No /var/opt/carbonblack/psc/blades directory exists on endpoint OR /var/opt/carbonblack/psc/blades only has /40E797FD-4322-4D33-8E8C-EF697F4C2323 subfolder (only Audit & Remediation is installed)
  • No /var/opt/carbonblack/psc/log/cbagentd-install.log exists on endpoint OR contains message ending with "agent will not run"

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 2.7.0.x and Higher
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Linux: All Supported Versions (with noted support for the above two products)

Cause

Only dpkg or rpm was installed, either manually or via software provisioning tool ("dpkg -i", "rpm -i"), without installing blades for remaining functionality

Resolution

Follow the instructions in the Sensor Installation Guide to run either install.sh or bladesUnpack.sh to finish installing blades and enable all Sensor functionality

Additional Information

  • When only the dpkg or rpm install occurs the Sensor only has Live Response functionality
  • Sensor Installation Guide makes it clear that install.sh or bladesUnpack.sh MUST be run after intial dpkg/rpm install
Powered by Wolken Software