App Control: How to Rebuild the Agent Cache After Corruption (Local)
search cancel

App Control: How to Rebuild the Agent Cache After Corruption (Local)

book

Article ID: 286773

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • The Agent's cache.db file is more than 1GB in size
  • Files that have been Approved in the past, are now being blocked
  • Errors.bt9 file shows frequent and persistent messages similar to the below:​
    • ​Error[database disk image is malformed]
    • Error[HandleCorruptDB: Warning: Agent database appears to be corrupt
    • Error[ValidateConfigListFile Error[Magic mismatch[xxxx] Expected[yyyy]]]
    • Error[CacheDatabase: Database did not pass integrity check]
  • Cache_invalid.bt9 files located in the Agent Data directory.
  • Events with subtype "Agent database error" may show in the Console.

Environment

  • App Control Agent: All Supported Versions
  • macOS: All Supported Versions
  • Linux: All Supported Versions
  • Windows: All Supported Versions

Cause

The most common cause of Agent cache corruption is improper/hard shutdowns. Other reasons could include:
  • Third party products injecting into the Agent/interfering with operations.
  • Unsupported OS/Agent combination.
  • Modifications to the OS or other critical files while the Agent is not running/disabled.

Resolution

  1. Verify the impacted machine is running a supported and compatible Agent version.
  2. Verify Agent Exclusions are added to any 3rd Party Software (WindowsmacOSLinux).
  3. Temporarily stop & unload the Agent (WindowsmacOSLinux).
  4. Delete all files with cache in the name from the relevant directory:
    • Linux: /srv/bit9/data/
    • macOS: /Library/Application Support/com.bit9.Agent/
    • Windows: C:\ProgramData\Bit9\Parity Agent\
  5. Start the Agent
  6. Allow the Agent to fully Initialize again.

Additional Information

  • Initialization will occur after completing these steps, and will issue a new Local Approval to all files.
  • If the machine is sensitive to degraded performance, or possible blocks, it is recommended to complete these steps outside peak usage.
  • If this is happening on multiple machines consider using the Cache Integrity mode.