EDR: Tamper Protection Password History is Currently Removed when the Group is Deleted
search cancel

EDR: Tamper Protection Password History is Currently Removed when the Group is Deleted

book

Article ID: 285644

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

The sensor cannot be manually uninstalled with uninst.exe due to the Tamper Protection passwords were deleted when the associated Sensor Group was deleted.

Environment

  • EDR Server: 7.7.x 
  • EDR Windows Sensor:  7.3.x

Cause

When a Sensor Group is deleted, the entries for that group are also removed from the Postgres Tamper_Protection_History table.  If a sensor is identified with a problem after the group is deleted, the only recourse is reboot into Safe Mode.

Resolution

Until EDR is modified to maintain the deleted group's Tamper Protection history, physical access is required to uninstall a sensor in Tamper Protection mode.
1. Disable Microsoft Protection API via Safe Mode.
a.  From the login page, hold down the Shift key + select Power > Restart.    Keep holding down the Shift key past reboot until a screen with options appears.
b.  Select "Troubleshoot" block.
c.  Select "Advanced Options" block.
d.  Select "Startup Settings" block.
e.  Read the options carefully as they may have changed.  Select the option similar to "Disable early launch anti-malware protection".  It was option 8 as of this writing.

2. Delete the registry key while in safemode HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/CarbonBlack 
3. The system reboots and tamper protection should be removed. 
4. Uninstall Carbon Black sensor.

C:\Windows\CarbonBlack\uninst.exe


 

Additional Information

  • The methods to access the EDR sensor with Tamper Protection enabled is 1) via the EDR console, 2) CbEDRCLI.exe or 3) Safe Mode. 
  • Prior to obtaining physical access to reboot into Safe Mode, consider
    a) Reboot the failed sensor.  Sometimes after an upgrade the sensor needs to a reboot to reset the drivers. This may enable communication to the EDR server.
    b) Move the sensor temporarily to a new group with Tamper Protection off.  It is possible that after a reboot, the sensor may checkin to report a problem and obtain the new configuration. 
    c) If the group was deleted, the sensor may have moved to the Default group.   Either attempt to access the sensor using CbEDRCLI and the Default group Tamper Protect password, or check the sensors registry to determine the last group recorded (HKLM\SOFTWARE\CarbonBlack\Config\ConfigName)
  • The services key needs to be deleted due to https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_launch_protected_info, this is not something the uninstaller will be able to do to completely remove the sensor if reinstalling. 
Powered by Wolken Software