EDR: SMB failures on Windows Server 2012 with 7.2.0-win or Higher Sensor
Article ID: 285767
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
SMB shares are failing to connect after upgrading to a 7.2.0-win or higher sensor on Windows Server 2012 (pre-R2).
Environment
- EDR Sensor: 7.2.0 or Higher
- Microsoft Windows: 7, 8.1, Server 2008, Server 2012 (pre-R2)
Cause
The new tamper features of the sensor is triggering a Microsoft Windows race condition bug
You cannot access network shares after the computer restarts in Windows 8.1 or Windows 7
You cannot access network shares after the computer restarts in Windows 8.1 or Windows 7
Resolution
1. For sensors running on Windows Server 2012 (pre-R2) the OS would need to be upgraded to Windows Server 2012 R2 to receive the Microsoft patch, since there is no patch available for pre-R2. If upgrading the OS is not feasible, you can workaround the issue by delaying the start of the sensor services to try to avoid the race condition at startup. While this addresses the SMB shares issue, this could cause some events to not be captured at the early stages of the system boot. To implement this workaround, open a command prompt as an administrator and issue the following commands:
- To Enable Workaround:
sc config carbonblack start= delayed-auto sc config carbonblackk start= demand
- To Disable Workaround:
sc config carbonblack start= auto sc config carbonblackk start= auto
2. For other OS versions, please patch the OS to resolve the issue.
Additional Information
- Windows Server 2012 (pre-R2) is out of Microsoft mainstream support and did not receive the same patch fix as other versions.
Feedback
Yes
No
Powered by
