CB Defense: How to Bypass Local Mirror Server Temporarily to Resolve August 2019 Signature Update Issues (Linux)
Article ID: 285549
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Point Sensors to the CB Signature Update server as an alternative to the solution provided in CB Defense: Local Mirror Update Servers Not Updating Since August 1 (Linux)
Environment
- CB Defense PSC Console: All versions
- CB Defense Local Mirror Server: Version 2.2 and Lower
- Linux: All Supported Versions
- CB Defense PSC Sensor: 2.0.x.x and Higher
- Microsoft Windows: All Supported Versions
Resolution
- Disable Existing Local Mirror
- Ensure traffic to the new Signature Update Server URL is allowed through proxies and firewalls without packet inspection (TCP/80 or TCP/443)
updates2.cdc.carbonblack.io
- Disable Local Mirror server
- Stop the automated scheduling of `update_defs.sh`. If using a crontab, it will be necessary to delete the associated crontab.
- Temporarily disable the hosting and serving of definition files (for example, disable the Apache web server used to provide updates to Sensors)
- Ensure traffic to the new Signature Update Server URL is allowed through proxies and firewalls without packet inspection (TCP/80 or TCP/443)
- Point Sensors to new CB Update Server URL
- Go to Enforce > Policies > select Policy > Local Scan tab
- Set the Update Servers URLs to the new address
http://updates2.cdc.carbonblack.io/update2
- Repeat steps 3 and 4 for all necessary policies.
NOTE: https can be used if Sensor versions in this policy are 3.3.x.x and higher
- Update Local Mirror server files
- Download the latest mirror server package for Linux from CB Defense: Local Mirror Server for Signature Updates
- Unpack the zip file. Locate the following files
update_defs.sh update_defs_ssl.sh HBEDV.KEY avupdate_msg.avr avupdate.bin
- Update the current Local Mirror by replacing the matching Local Mirror files with the files noted above.
- If desired, SSL communications between the Local Mirror and CB update servers can be enabled by using update_defs_ssl.sh file in place of update_defs.sh
- Re-enable Local Mirror
- Re-enable the hosting of signature updates (for example, re-enable the Apache web server used to provide update to Sensors)
- Recreate the scheduled task to automate scheduling of "update_defs.sh" in order to maintain the Local Mirror signature file updates
NOTE: Ensure the correct script is being called in the scheduled job (update_defs.sh or update_defs_ssl.sh)
- Confirm that the Local Mirror is now updating
- Locate and view the master.idx file within the Local Mirror directory
/Sigs/idx
- Confirm the listed CRDATE value is current
- Locate and view the master.idx file within the Local Mirror directory
-
Confirm Signature Updates have occurred for all affected endpoints
- Go to the Endpoints page in the PSC Console
- Search for the desired Device Name
- Expand the Device Details
- Check 'Scan Engine' field for VDF version
Example: Scan Engine: 4.11.0.307-ave.8.3.54.68:avpack.8.5.0.12:vdf.8.16.21.0:apc.2.10.0.110
- Any VDF Version above vdf.8.16.21.0 reflects an endpoint in an updated state
- Point Endpoints back to Local Mirror
- From previous instructions confirm that local mirror is receiving updates
- From previous instructions confirm that all endpoints in policy are updated to a version greater than 8.16.21.0
- Go to Enforce > Policies > select Policy > Local Scan tab
- Set the Update Servers URLs to the URL for your local mirror server
- Verify that signatures continue to update on Sensors: CB Defense: How to verify AV Signatures are updating
- If signature updates have not resumed 24 hours after applying the solution, please open a support case
Feedback
Yes
No
Powered by
