Dascli Error: Cannot Connect to User Agent
search cancel

Dascli Error: Cannot Connect to User Agent

book

Article ID: 286658

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Agent not showing as Connected in Assets > Computers.
  • Agent driver or kernel filter driver is not running
  • Attempting to use dascli commands returns error:
    Cannot connect to user agent.

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

Most commonly, this message is returned when the Agent's service is in one of the following states:

  • Stopped, Restarting, or Disabled.

Attempt to start it and verify it remains as Running, if the service stops or Dascli still gets an error connecting:

  • Another AV software program is injecting into the Agent's usermode memory space.
  • The agent installation has become corrupted.

Resolution

Initial Troubleshooting/Remediation

  1. Verify Agent service status
    1. From the endpoint > Open Services
    2. Locate Carbon Black App Control Agent and verify
      • Startup Type: Automatic
      • Status: Running
    3. If the service is not running, attempt to start it and verify it remains as Running.
  2. Click Start > Run > services.msc > Ok and locate the service, Carbon Black App Control Agent.
    • Verify the Startup Type is set to Automatic and verify the status is Running.
  3. Verify Antivirus Exclusions for the Agent are in place for any other security product.
    • Important Note: Agent 8.10.0 included an additional driver that must be added to exclusions in other products.
  4. Upgrade to the latest Agent version to eliminate any resolved bugs or issues.
    • This may also help replace any missing/required files that could contribute to stability issues.

If Issues Persist

The required logs to investigate will depend on the Agent service's status at the time the message is returned when attempting dascli commands

  1. Use Task Manager > Services > Parity and monitor the Status column
  2. In a command prompt, issue the dascli status command
    • If Status changes from Running OR is never able to transition from Starting to Running
      1. Configure the endpoint to capture a Low Altitude Procmon while recreating the issue (dascli status or attempting to start service).
      2. Capture Event Viewer Logs
      3. Open a 'Technical' case with Support and provide the logs.
    • If Status remains Running
      1. Temporarily disable Tamper Protection for the Agent from the Console
      2. On the endpoint > Registry Editor > Browse to
        HKLM\System\CurrentControlSet\Services\Parity\
      3. Edit the String Value, ImagePath by adding /debuglevel 7 to the end of the data:
        C:\Program Files (x86)\Bit9\Parity Agent\Parity.exe" /service /server myparityserver.com /port 41002 /debuglevel 6
      4. Restart the Agent service (if service does not respond/fails to restart, reboot the machine)
      5. Copy the Agent's Log directory elsewhere, and zip them
        Copy From:
        C:\ProgramData\Bit9\Parity Agent\Logs\

        Exampe Copy To:
        C:\Temp\
      6. Open a 'Technical' case with Support and provide the zipped logs.

Additional Information

  • By default the Agent service has the start type "auto" and the Agent driver has the start type "boot".
  • The following commands in an administrative command prompt will set the Driver and Service accordingly:
    sc config parity start= auto
    sc config paritydriver start= boot
  • The following administrative Windows commands can be used:
    Verify service status: sc query parity
Verify driver status: sc query paritydriver
Verify paritydriver is loaded: fltmc
Verify paritydriver instances: fltmc instances
Powered by Wolken Software