Duplicated Server Token Causes Incorrect Reporting and Incorrect Binary Downloads
search cancel

Duplicated Server Token Causes Incorrect Reporting and Incorrect Binary Downloads

book

Article ID: 285724

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • SRS Threat and Reputation Trust have reports not associated with binaries in the environment (when sharing binaries), potentially causing no hits when the binary is seen again. 
  • Stats are not being reported correctly to Alliance when sharing

Environment

  • EDR: All Versions

Cause

When copying the /etc/cb/ directory items to a secondary server or cloning directly from an original server install. This causes duplicated server.tokens that are used by Alliance to uniquely identify the server belonging to the communication

Resolution

  1. Stop the EDR services
    Standalone - /usr/share/cb/cbservice cb-enterprise stop
    Cluster - /usr/share/cb/cbcluster stop
  2. Move the old token to a backup
    mv /etc/cb/server.token /etc/cb/server.token.bkup
  3. Generate the new token
    /usr/share/cb/virtualenv/bin/python -c "from cb.alliance.token_manager import SetupServerToken; SetupServerToken().set_server_token('/etc/cb/server.token')"
  4. Start EDR Services
    Standalone - /usr/share/cb/cbservice cb-enterprise start
    Cluster - /usr/share/cb/cbcluster start