EDR: Reinstalling a Sensor with a New Group Packages Still Installs To the Old Group
Article ID: 287883
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
When reinstalling a sensor with a new sensor group package, the sensor is still showing in the previous sensor group that it was last installed into.
Environment
- EDR Server: All Versions
- EDR Sensor: All Versions
Cause
This is expected behavior when VDI checks are enabled.
Resolution
Workarounds:
Option 1: Move the sensor entry in the console to the new group prior to reinstall
Option 2: Disable VDI checks
Option 1: Move the sensor entry in the console to the new group prior to reinstall
Option 2: Disable VDI checks
Additional Information
- This is working as designed, the sensor checks in on a regular basis. At each checkin the sensor will check with the server to see if anything in the group settings has changed. If it has, the sensor will receive the new info. This more effectivey works for sensors that are offline. If an admin changes the sensor group and the endpoint checks in a day later, the expectations of the Admin will be that the sensor will report to that sensor group upon next checkin. Installing via a different group package with VDI enabled works in a similar way, the sensor will be installed with all the settings of the new group, but once it checks in and the server see's a match to the VDI settings, it will then see the group id in the Postgres DB of the sensors last known group and re-assign it.
- Re-installing by group package is not the recommended way to migrate sensors to a new group. If there are many sensors that need to be moved, instead try cbapi to script the move of sensors based on unique info. This example script can be modified to do something like this. https://github.com/carbonblack/cbapi-python/blob/master/examples/response/sensor_group_operations.py
Feedback
Yes
No
Powered by
