CB EDR: Sensor Install Hangs with 'Failed to install NetMon WFP Stream Drvier' Error
Article ID: 287421
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Installation hangs with with the following error message:
... line 678 Writing out files... line 679 Writing out cb.exe... line 693 Writing out drivers... line 704 Binaries written line 712 Installing NetMon Stream Drivers... line 718 Installing NetMon WFP Stream Driver... line 723 Failed to install NetMon WFP Stream Drvier
Environment
- CB EDR Sensor: All Supported Versions
- VMware Carbon Black App Control (Formerly CB Protection) Agent: Version 7.x
Cause
- VMware Carbon Black App Control Agent has Tamper Protection enabled.
- The VMWare Carbon Black App Control Agent is still running on the sensor during the EDR install/upgrade.
Resolution
- To disable Tamper Protection, please see this KB for reference: Disabling Tamper Protection
- On later App Control versions, the local service (parity agent) also needs to be stopped/disabled: Disable Parity Agent Via CLI
- This has been fixed in the 8.x App Control agent version, thus this step can be avoided by upgrading to a more recent version.
Feedback
Yes
No
Powered by
