EDR: Duplicate Sensors Due to a Misconfigured VDI
search cancel

EDR: Duplicate Sensors Due to a Misconfigured VDI


Article ID: 285279


Updated On:


Carbon Black EDR (formerly Cb Response)


Sensor hosts appear multiple times in the UI and sensor_registration table.


  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions 


  • Missing configuration for enabling VDI behavior.
  • Sensor deployed to new systems after already registering with the EDR Server on original image.


1.  Enable VDI in /etc/cb/cb.conf.   The preferred method is new global method (found in 7.6.x+) 
a) Global method.  To allow the administrator to modify the VDI settings globally via the Console add this to /etc/cb/cb.conf:

b) The original cb.conf VDI variables were added to the EDR server(s) in /etc/cb/cb.conf.   These are no longer needed if step a (above) is enabled. (Warning: These lines must match exactly with no extra spaces, special characters, and have the right case. Make a backup of cb.conf before making changes. If it's a cluster, please check all the nodes): 

            This uses the default setting is based on the client hostname and DNS name to correlated existing Sensor IDs.  The default plug-in is located in

2.  Restart Services for changes to take effect: 
Standalone Server:
sudo service cb-enterprise restart

/usr/share/cb/cbcluster stop
/usr/share/cb/cbcluster start

Note:  If the master image or template has a sensorID other than 0, fix the image following the instructions in “Setting up Global VDI Support on Windows” or “Setting up Global VDI Support on OSX” found under Appendix I in the 5.X User Guide or Chapter 6 in the 6.x Integration Guide.


    Additional Information

    • If using a master image to deploy sensors, VDI will help prevent duplicates. With VDI enabled, duplicates are recognized based on hostname and DNS name to correlate to an existing Sensor ID. This can be customized to also recognize attributes such as IP or MAC addresses.