Carbon Black Cloud: Sensor Update Failing Through SCCM
search cancel

Carbon Black Cloud: Sensor Update Failing Through SCCM

book

Article ID: 286047

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • SCCM Sensor Update Fails
  • Update via Carbon Black Cloud console succeeds
  • Confer.log shows msiexec being blocked: 
    SUCCESS PSCRULES: Process:4704:132973514566025764 (c:\windows\system32\msiexec.exe) sha256:0A8797D088023A7F17BB00B22FF7C91036070CCA561BFF5337C472313C0CB4AD Op:REG_DELETE_VALUE TargetType:REGISTRY (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}\EstimatedSize) was:Block by policy:1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D rule:4DAF85DC-04B3-4058-BD15-9AF21080A286 (Tamper protect CbD uninstall/upgrade registry keys and values)
  • Update log shows: 
    Could not delete value Comments from key \Software\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}. System error . Verify that you have sufficient access to that key, or contact your support personnel.
  • "c:\program files\confer repcli find msiexec.exe" shows msiexec as unsigned:  
    "Signature Info" - "Not Digitally Signed"

Environment

  • Carbon Black Cloud Sensor: 3.6.x - 3.7.x
  • Microsoft Windows: All Supported Versions

Cause

Sensor is not treating msiexec as signed and therefore tamper protection blocks the uninstall/upgrade.

Resolution

.  Workaround:
  1. Update via the Carbon Black Cloud console
or:
  1. Place sensor into bypass Bypass
  2. Update
  3. Remove sensor out of bypass

After an upgrade to 3.8+ is completed, the sensor will no longer lose track of the signature state and will re-confirm the signature status of msiexec.exe

Additional Information

This query can help identify what machines may be affected (ran via the investigate page) 
device_os:WINDOWS AND process_name:"c:\\windows\\system32\\msiexec.exe" AND process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED
Powered by Wolken Software