EDR: Sensors Migrated from Another Server Fail Live-Response and Upgrades
book
Article ID: 285678
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
After migrating sensors from one server to another server on 7.5.0 or 7.5.1, the sensors are unable to upgrade or connect to live-response
Environment
EDR Server: 7.5.0 - 7.5.1
EDR Sensors: All Versions
Cause
Change in the handling of sensor communications is not allowing for sensor group certs to be updated, causing the group cert check for upgrades and live-response to fail
Resolution
The issue will be corrected in 7.6.0. Please reach out to CB support to provide a workaround script.
Additional Information
The sensor is able to connect to the server based on the client cert being signed and validated against the cert in /etc/cb/certs/cb-client-ca.key. On previous versions the server would give the updated group cert to the sensors
When the sensor tries to upgrade or utilize live-response, the group cert is checked again for validity against it's group, in which the cert id is not in postgres and cb-datagrid to make this confirmation.