EDR: Sensor shows "uninstalled" status in console, but is active and sending data
Article ID: 287738
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Sensor status in Sensor Group view in console shows "Uninstalled"
- Sensor details page shows recent communication and data flowing from sensor
Environment
- EDR (Formerly CB Response) Server : All Supported Versions
- VDI Support enabled
Cause
- "Uninstall" command was executed from Response console against the sensor
- Sensor was later reinstalled on the endpoint and assigned existing ID (due to VDI support)
- Sensor status does not clear automatically (designed behavior)
Resolution
On Prem:
Log a support ticket with the details of the sensor with incorrect status.
- Log into the terminal on the EDR server (Master in the case of cluster)
- As root, execute: psql -d cb -p 5002 -c "update sensor_registrations set uninstall=false, uninstalled=false where id = <sensorid>"; Where <sensorid> is the ID with the problematic sensor
Log a support ticket with the details of the sensor with incorrect status.
Additional Information
"Uninstall" command from console is intended to be used for permanently decommission endpoints. If this feature is used to temporary remove a sensor from an endpoint and VDI Support is enabled, sensor will be assigned the sensor ID with "Uninstalled" status. Sensor will communicate but status will show incorrectly until cleared manually.
Feedback
Yes
No
Powered by
